Your whole office (or family) can surf the World Wide Web, chat, do file transfers, play games and telecommute at the same time.
VPN Masquerade is the part of IP Masquerade which enables you to use IPsec-based and PPTP-based Virtual Private Network clients from behind a shared-access firewall.
This is primarily used for masquerading IPsec and PPTP VPN clients:
No other software is needed to masquerade VPN clients.IPsec Client -. | Linux IPsec PPTP -+-> Masq and --> Internet --> or PPTP Client | Firewall Server | Others -+ |
It can also be used to provide access to a
Private Network
IPsec or PPTP server behind a Linux firewall...
To do this you will also need the ipportfw port-forwarding kernel patch and configuration tool for 2.0.xx kernels or the ipmasqadm utility for 2.2.xx kernels to forward the initial 500/udp ISAKMP key-exchange and/or 1723/tcp PPTP control channel traffic in to the server, and the IPFwd generic IP forwarding utility to forward the initial IPsec ESP and/or PPTP GRE traffic in to the server. Details are available in the VPN Masquerade HOWTO - please read it.IPsec Linux Private-IP or PPTP --> Internet --> Masq and --> PPTP or IPsec Client Firewall Server
If your VPN is based on tunnelling PPP over Secure Shell (as described in the VPN mini-HOWTO) it is handled by the standard IP Masquerade code, as ssh is a purely TCP protocol. You'll still need ipportfw or ipmasqadm if the VPN server is masqueraded (behind the firewall, with a private-network IP address) rather than on the firewall itself.
If you are using a Checkpoint SecuRemote VPN with FWZ-encapsulated tunnels, you will not be able to masquerade the traffic. Configure your VPN to use pure IPsec protocols and permit NAT, and avoid the CheckPoint proprietary FWZ protocols. See the VPN Masquerade HOWTO for more details.
Once VPN Masquerade is configured you will no longer need to dial your ISP directly from your VPN client (or plug your VPN client into your cable modem) when you wish to access your VPN server. This means that all of the benefits of Linux shared Internet access remain available even while you are using your VPN to access a remote network.
In fact, with proper configuration of your local network you can simultaneously access the Internet and your private (corporate?) network (over the VPN) from all of the computers on your local network. I do this every day while working from my home.
Note for W'95/'98 VPN client users: sorry, but the W'95/'98 IP stack does not easily support IP forwarding. You cannot use a W'95/'98 VPN client to act as a VPN router for your local network - every W'95/'98 system will have to establish its own private connection to the VPN server unless you use a system running WinNT or another OS capable of IP forwarding as a VPN router.
If you are using 2.0.37 or 2.0.38, there is a bugfix to prevent GPFs
under certain circumstances when IPsec masquerade is enabled:
[
FTP Mirror 1 (USA: UT)
|
FTP Mirror 2 (EU: NL)
|
HTTP Mirror 1 (USA: WA)
]
If you're attempting to patch a kernel from a RedHat or Mandrake kernel source RPM prior to 2.2.16-8, you will also need to apply the following patch after applying the full VPN masq patch. This will fix an important failed hunk. To apply this patch:
cd /usr/src/linux/net/ipv42.2.12 and 2.2.13: [ HTTP Mirror 1 (USA: CA) | HTTP Mirror 2 (USA: WA) | HTTP Mirror 3 (AU) | FTP Mirror 1 (USA: UT) | FTP Mirror 2 (EU: NL) ]
zcat patchfile.gz | patch -l -p0
The following patch is needed for the RedHat or Mandrake 2.2.16 kernel,
or a kernel which has had the VS-Masq (Virtual Server) patch applied.
This includes the kernel shipped with RedHat 7.0 - if you have
RedHat 7.0 and you are using the kernel that came with it, you
do need this patch.
The RedHat 2.2.17-14 update kernel includes this patch, I recommend you get
that kernel RPM from the FTP site rather than patching and rebuilding.
If verbose PPTP debugging shows a masquerade address (maddr) of 0.0.0.0 is being used,
or tcpdump on your Internet interface shows something like:
08:32:26 0.0.0.0 > 1.2.3.4: ip-proto-50 108 (ttl 63, id 1)...then you need to apply this patch. To apply this patch:
cd /usr/src/linux/net/ipv42.2.16: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (AU) | FTP Mirror 1 (USA: UT) | FTP Mirror 2 (EU: NL) ]
zcat patchfile.gz | patch -l -p0
Don't forget to run "make modules_install" after patching and recompiling.
The VPN Masq patch was omitted from the first RedHat 2.2.19 kernel RPM due to time constraints. It will be in the next one.
You may wish to download a plain kernel source tarball from a kernel.org mirror site instead.
2.4.12: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (EU: NO) | HTTP Mirror 3 (AU) ]
2.4.15: [ HTTP Mirror 1 (USA: WA) | HTTP Mirror 2 (EU: NO) | HTTP Mirror 3 (AU) ]
Simply apply the patch, then enable PPTP masquerade in the IPFilter section when configuring your kernel.
Masquerading a single VPN client using IPtables is fairly simple to set up, and requires no special patches. The following is thanks to Joshua Eichorn <jeichorn@JoshuaEichorn.com>. I haven't tried it myself.
#!/bin/bash # Load the NAT module (this pulls in all the others). /sbin/modprobe iptable_nat # In the NAT table (-t nat), Append a rule (-A) after routing # (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to # MASQUERADE the connection (-j MASQUERADE). /usr/local/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
Server masquerade for PPTP also works with the default masquerade code. Add the following rules:
PPTP (1723/tcp and 47/ip):
...where 192.168.0.5 is the local-network IP address of the PPTP server. I have not had any reports regarding IPsec server masquerade./sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1723 -j DNAT --to 192.168.0.5 /sbin/iptables -t nat -A PREROUTING -i eth1 -p 47 -j DNAT --to 192.168.0.5
To download files using Lynx: highlight the link, press
"d" (download), and select "Save to Disk".
To download using Netscape Navigator: right-click the link and choose "Save
Link As..." - if you simply click the link, Navigator tends to corrupt the
patch file.
For early 2.2.x kernels you can also visit Gordon Chaffee's site for the 2.2.x PPTP-only Masq patch.
Second, make sure that you have IP
Masquerading compiled into your kernel and working properly.
Setting
up masquerading itself is beyond the scope of this document, and there
is a HOWTO
already available that describes the process in great detail.
If you don't have regular masquerade working properly
then please don't contact me for help - read the HOWTO first.
(Have I successfully made my point? ;)
Also, I have written a
GUI wrapper
for the 2.0.x ipfwadm command that makes managing firewall and
masquerade setup easier.
Third, make sure that your VPN connection works when you dial your ISP directly from your VPN client system.
To install and configure VPN Masquerade, follow the directions given in
the
VPN Masquerade HOWTO, available at:
HTML: [
HTTP Mirror 1 (USA: WA)
|
HTTP Mirror 2 (EU: NO)
|
HTTP Mirror 3 (AU)
|
FTP Mirror 1 (USA: UT)
|
FTP Mirror 2 (EU: NL)
]
PostScript (printable): [
HTTP Mirror 1 (USA: WA)
|
HTTP Mirror 2 (EU: NO)
|
HTTP Mirror 3 (AU)
|
FTP Mirror 1 (USA: UT)
|
FTP Mirror 2 (EU: NL)
]
PDF: [
HTTP Mirror 1 (USA: WA)
|
HTTP Mirror 2 (EU: NO)
|
HTTP Mirror 3 (AU)
|
FTP Mirror 1 (USA: UT)
|
FTP Mirror 2 (EU: NL)
]
SGML source: [
HTTP Mirror 1 (USA: WA)
|
HTTP Mirror 2 (EU: NO)
|
HTTP Mirror 3 (AU)
]
You do not need ipmasqadm or ipfwd if you're calling a remote VPN server via the masq gateway. You only need them if a local VPN server is behind the masq gateway.
Depending on the PPTP server in use you may be forced to use a VPN router configuration if more than one masqueraded system wants to connect to a given PPTP server. The PPTP protocol specifies only one control connection from a given client system, and the masquerade gateway is the client as far as the server is concerned. PPTP server implementations that correctly follow the specification will not permit more than one PPTP session to be established from the masquerade gateway. Try it first, though, as some incorrect PPTP implementations (such as that in Windows NT) do permit multiple connections between the same systems.
The IPsec AH protocol (51/ip) incorporates a cryptographic checksum including the IP addresses in the IP header. Since masquerading changes those IP addresses and since the cryptographic checksum cannot be recalculated by the masquerading firewall, the masqueraded packets will fail the checksum test and will be discarded by the remote IPsec gateway. Therefore, IPsec VPNs that use the AH protocol cannot be successfully masqueraded. Sorry. (ESP with authentication can be masqueraded.)
Here's
a
patch for netstat that adds recognition of the ESP and GRE protocols.
Add this and
If you want to implement an IPsec-based VPN on Linux, please
visit the Linux FreeS/WAN
site. This is particularly recommended if you're considering setting up a PPTP-based
VPN between two networks that are both behind Linux firewalls. IPsec is
more secure and much better suited to this than PPTP.
Please visit the Microsoft security announcements site for an important
PPTP
security update for Microsoft PPTP clients and servers.
You may also be interested in an
analysis of Microsoft's implementation of the PPTP protocol by one of
the most respected members of the Crypto community. A
second analysis
and
third analysis
by others are also available.
There is also freely-available native Linux
PPTP client
and
PPTP server software.
Note that this software may not provide encryption: for patches that add
M$-compatible encryption and compression to pppd visit
this site, or visit
this ftp site
where Paul Cadach
<paul@odt.east.telecom.kz>
offers pppd patches to
support
MS-CHAP-V1/V2 and MPPE and
implement
multilink PPP with NT. (These links are fairly old. Visit
the PoPToP site for the current
status of native-Linux PPTP.)
Profuse thanks to Gordon
Chaffee for coding and sharing a
patch
to traceroute that allows tracing GRE traffic. It should prove
invaluable in troubleshooting if your GRE traffic is being blocked
somewhere. Get the patch from:
A patch for the newer traceroute_1.4a12 is available from
http://www.planet.net.au/~neale/debian/traceroute-GRE/
I've been using a masqueraded VPN through various incarnations of this
patch with great success since September 7, 1997.
I only have an x86 box to test this on. It has been reported to work on Sparc and PowerPC systems.
Comments from users on other architectures are solicited.
The 2.1.65+ kernels natively support a tunnelling protocol based on GRE,
but do not support PPTP natively in any way. You must still patch your
kernel if you wish to masquerade PPTP. See the HOWTO for
more details on 2.1.x and 2.2.x kernels.
The 2.0.x patch conflicts with the
IP Firewall Chains
and ipportfw patches in trying to patch the kernel config files. This is
non-critical.
See the HOWTO for more details.
Yes, I know that IPsec is peer-to-peer. Writing this so that it's usable by
people using IPsec endpoints on Windows forces the inaccurate terminology.
I'm looking for mirror sites. If you have a web or FTP server, preferably with
SSH access, and you don't mind hosting a few files, drop me a note! If you want
to mirror me, or are already mirroring me, drop me a note!
Disclaimer: No guarantees of functionality. Keep a working compiled kernel
around in case this blows up.
The Linux Webring:
[ Home |
Index |
Next |
Prev |
Random |
Stats ]
Best viewed with
Any Browser
[
HTTP Mirror 1
|
HTTP Mirror 2
|
FTP Mirror 1
]
You can contact me at
<jhardin@impsec.org>.
I'd like to hear your comments and suggestions, and particularly your
problems with this patch. You can also visit the
current
version of this document, and take a look at
my home page...
Donations accepted via PayPal.
© 1999-2001 by John Hardin. You may copy this page as long as the content is
unchanged (you can change the formatting to fit your site if you want) and the
link to the original page is left intact.
$Id: ip_masq_vpn.html,v 1.71 2001-11-23 20:52:28-08 jhardin Exp jhardin $