iptables - vpn - bridge mode - complex

[ludicrouspeed]

Hi All,

You will have to forgive my complete noobishness on this but here it is.

I am responsible for setting up a vpn to connect our Sydney office to our NZ office, we have just purchased 2 new linksys routers both RV082's.

the current topology consists of a cisco 2514 at the sydney office and a linux firewall at the NZ end running iptables on debian.

The plan is to place one of the linksys routers at either end behind each router respectively. so it would go Sydney_RV082-cisco_2514---Debian_firewall_iptables-NZ_RV082.

we are getting connectivity either way fine, i can ping from the Sydney_RV082 to the NZ_RV082 find both ways, but upon attempting to connect the VPN, it just wont establish a connection.

i have come to supect that the cause of this is that the iptables firewall is port forwarding the ip from the NZ linksys router.

my proposed solution is that we activate a bridging mode on the iptables firewall so that it just passes through the connection from the outside to the linksys.

heres where things get interesting.

the iptables firewall is shared AND is not managed by me.

so im confident in getting the iptables firewall to use bridge mode but the thing is i need it to bridge ONLY traffic headed for a specific ip address (the rv082)

now if i can get it to do this i THINK this will solve my problem and get the vpn to connect so here is my full wish-list.

1. Can i do this with iptables?
2. If i can, will this solve my problem?
3. What do i set the default gateway to on the NZ RV082... whereas it is currently set to the ip bound to internal side of the iptables firewall
4. Is there a better way to go about this?

Thanks for any help on this, i need this solved in the next couple of days so ANY helpful feedback would be really appreciated.

Let me know if any additional information/details would be helpful.

Cheers,

Ludi

[cyberinstru]

Hey, I need some more clarifications on this issue.

current topology consists of a cisco 2514 at the sydney office and a linux firewall at the NZ end running iptables on debian.

Which mode are you using? Are you setting up the VPN in aggressive mode?

we are getting connectivity either way fine, i can ping from the Sydney_RV082 to the NZ_RV082 find both ways

So you have the connectivity. First try to establish VPN tunnel between the edge devices. Right now IPSec passthrough is not required. (i suppose, you r using IPSec VPN. If not plz correct me)

Ensure that you configuration is correct at both the ends. Please find the checklist below:
1. Remote subnet of Cisco should match Local subnet of Debian VPN
2. Remote subnet (right) of Debian should match Local subnet of Cisco VPN
3. If it is in PSK mode (Pre-Shared Key), keys should match
4. Have you created firewall policies for this tunnel at the Cisco end?
5. Does you Debian firewall (INPUT and FORWARD) allow VPN traffic (UDP dport 500, dport 4500, proto esp) on its WAN interface?

While connecting from debian end or Cisco end, use packet sniffers on Debian and track for VPN traffic and if possible, post VPN logs here.

And sorry to ask this... one more important clarif is ... does Cisoc 2514 have VPN support?

[sodge]

the iptables firewall is shared AND is not managed by me.

But it is by me

Does you Debian firewall (INPUT and FORWARD) allow VPN traffic (UDP dport 500, dport 4500, proto esp) on its WAN interface?

Currently all traffic is allowed on INPUT but only TCP ports 20, 21, 22, 80, 1723, 3389 on FORWARD.

Now port 1723 is PPTP, which I thought was all that was required. But please enlighten me if others are required.

[ludicrouspeed]

Hey, I need some more clarifications on this issue.



Which mode are you using? Are you setting up the VPN in aggressive mode?

Hi Cyberinstru, thanks for the reply,

I am using IP only mode at both ends.

The IPSec settings are as follows;

* KeyRing mode - IKE with Preshared key

* Phase 1 DH group - Group 1
* Phase 1 Encryption -2DES
* Phase 1 Authentication - MD5
* Phase 1 SA Life Time - 28800

* Perfect Forward security - YES

* Phase 2 DH group - Group 1
* Phase 2 Encryption -2DES
* Phase 2 Authentication - MD5
* Phase 2 SA Life Time - 3600

And sorry to ask this... one more important clarif is ... does Cisoc 2514 have VPN support?

To answer this question aswell, yes it does support VPN (we currently have it setup to allow standard windows vpn)

[cyberinstru]

Currently all traffic is allowed on INPUT but only TCP ports 20, 21, 22, 80, 1723, 3389 on FORWARD.

Now port 1723 is PPTP, which I thought was all that was required. But please enlighten me if others are required.

For IPSec VPN, you need to allow UDP port 500, 4500 (if NAT is enabled), and proto ESP (proto value 50), proto AH (proto value 51 - if AH is enabled)

[cyberinstru]

I am using IP only mode at both ends.

Basically in IPSec, there are two modes: Main mode and Aggressive mode

* KeyRing mode

I suppose, this mode is specific to Cisco.

Make sure that your firewall is configured to allow IPSec VPN traffic.

Iniitially, it is better to have no rules, configure your VPN, make it work and then implement firewall rules.

In Debian, which IPSec package are u using: Openswan or racoon or ipsec tools or kame?

Please give us some more details on this to have a clear picture.

[ludicrouspeed]

Basically in IPSec, there are two modes: Main mode and Aggressive mode

Hi cyberinstru

I had a look and aggressive/main mode are in the advanced options section which i hadnt messed around with. Aggressive mode is currently de-selected (default) ie. set to main mode

[cyberinstru]

set to main mode

Yes, it is always secure to use main mode.

You are yet to give more details on your IPSec package that u r using on Debian.

Also configure firewall so as to allow IPSec traffic.

When u intiate IPSec negotiations, start sniffing for IPSec packets on Debian's WAN interface and see if you are getting response from the other end.

[ludicrouspeed]

You are yet to give more details on your IPSec package that u r using on Debian.

Ill have to wait for "sodge" to respond as he is the one managing the router and i have no access.

[cyberinstru]

Ok. Following are the basic things that you need to ensure:

1. Allow UDP port 500, 4500
2. Allow Proto ESP, AH
3. Choose the same mode (main/aggressive) at both the ends
4. Choose same phase 1 and phase 2 algorithms at both the ends (One at lower and the other at higher has no issues. but then server at the lower end shud intiate first).
5. Choose same authentication method - PSK or RSASIG (certifcates)
6. Security policy shud match - i.e, local gateway, local subnet, remote gateway, remote subnet
7. DH mode shud be same
8. If you r using PSK, see that the shared secrets at both the ends are same

Apart from this, keep your IPSec logs on and keep tracking that. Logs help u a lot to debug for any problems.

Hope this helps!