[NCLUG] cipe "virtual identity"

listz at hate.cx listz at hate.cx
Thu May 8 16:51:01 MDT 2003


i guess let me explain a bit more what i want to do. there is an internal server
that is only accessible from known ip addresses (via local iptables rules,
tcp-wrappers, etc.). when i'm on travel i could be using any ip address, but if
i need to connect back to the internal server i need the connection to appear as
if it were coming from some known ip address. i figured a vpn would be able to
accomplish this task. can cipe do this or even frees/wan?

on Thu May 08 16:28, listz at hate.cx disclosed: 
> but what about if the firewall and gateway are seperated by the internet. lets
> assume 192.168.0.10 is a real address. does the tunnel have its own addresses
> inside the tunnel? like a real address of 216.17.172.1 on eth0 of the laptop,
> and the firewall has an address of 192.168.0.11 (again, assuming its routable).
> maybe i'm being confusing, and maybe i just need to play around with it some.
> 
> 
> on Thu May 08 14:04, Kevin Fenzi disclosed: 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > >>>>> "listz" == listz  <listz at hate.cx> writes:
> > 
> > listz> i know i'm jumping the gun on the cipe presentation planned for
> > listz> later, but i'm trying to implement vpn's on my firewalls at
> > listz> work. basically i want laptops to be able to authenticate via
> > listz> pre-installed keys 
> > 
> > CIPE supports this. By default you can use static keys, but there is a
> > pkcipe that lets you use public keys. 
> > 
> > listz> to some vpn software on the firewall and
> > listz> then have all traffic act as if its coming from an interface on
> > listz> the firewall (eg. laptop with IP 192.168.0.10 connects to
> > listz> firewall and then any traffic to networks 10.0.0.0/8 or
> > listz> 172.16.0.0/12 will appear to be coming from firewall ip
> > listz> 1.2.3.4). i can make frees/wan do this with some policy
> > listz> routing, but i may need windows clients to connect as well, and
> > listz> i don't think windows is smart enough for that sort of policy
> > listz> routing. will cipe support "virtual identities", and if not
> > listz> does anyone know of a way to accomplish what i'm looking for?
> > 
> > CIPE will do this, you setup a cipe connection between the laptop and
> > the firewall. At the firewall you setup a forward rule to forward anything
> > from the laptop going to internal ip's. The laptop still needs to know
> > that it can use the cipe tunnel for the internal ip's tho. Not sure if
> > thats easy to do on windows or not. 
> > 
> > So, the laptops cipe interface is 192.168.0.10, the firewalls cipe
> > interface for that connection is 192.168.0.11. The laptop needs to
> > have a route for 172.16.0.0. and 10.0.0.0 to use 192.168.0.11 as it's
> > gateway. The hosts internally need to know that 192.168.0.x addresses
> > are handled by the firewall. 
> > 
> > Should work fine. 
> > 
> > On my (linux) laptop I setup CIPE to use my tunnel for all traffic
> > except a host route to the host at the other end of the cipe tunnel
> > and the local network. 
> > 
> > kevin
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> > Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
> > 
> > iD8DBQE+urg53imCezTjY0ERAvlnAJ9ZIB4Aa4zf6kGgEMZYJza2xO67sQCdF4dM
> > nLUypbRlL77UGArgJwyVrSM=
> > =vF+H
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > NCLUG mailing list       NCLUG at nclug.org
> > 
> > To unsubscribe, subscribe, or modify your settings, go to:
> > http://www.nclug.org/mailman/listinfo/nclug
> 
> <EOF>
> ::[ RFC 2795 ]::
>  "Democracy means simply the bludgeoning of the
>  people by the people for the people."
>  -Oscar Wilde
> _______________________________________________
> NCLUG mailing list       NCLUG at nclug.org
> 
> To unsubscribe, subscribe, or modify your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug

<EOF>
::[ RFC 2795 ]::
 "Democracy means simply the bludgeoning of the
 people by the people for the people."
 -Oscar Wilde
statik at hate.cx / security engineer \ "My God, it's full of stars..."
PGP fingerprint: D656 01EB 79FC 9285 F110  2AB1 D8BC B3BA BEA2 E0C5




More information about the NCLUG mailing list