VPN

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

VPN

stupidmail4me
I've checked and I've checked and I've checked. Please
help!

I have an OpenBSD 4.0 firewall on a public network,
let's say 1.2.3.4. It serves as a firewall/NAT box for
an internal network, 192.168.1.0/24.

There's a server located behind that box, say,
192.168.1.100. I need to create a VPN to that server.
(No, simply using a ssh tunnel won't work for various
reasons!)

Is it possible to create a VPN from an outside Windows
XP Pro machine to our private network using IPSEC?
I've read the man pages and they all say how to create
a VPN between two OpenBSD boxes. Fine, but that's not
what I need. There was a page on openbsd.cz that's not
there anymore.

Please, please help!


 
____________________________________________________________________________________
Never miss an email again!
Yahoo! Toolbar alerts you the instant new Mail arrives.
http://tools.search.yahoo.com/toolbar/features/mail/

Reply | Threaded
Open this post in threaded view
|

Re: VPN

test-17
I am in the same scenario to be honest, just haven't really started digging
that deep.

If someone can provide this information we'd be GREATLY appreciative!

________________________________

From: [hidden email] on behalf of stupidmail4me
Sent: Tue 1/23/2007 3:06 PM
To: [hidden email]
Subject: VPN



I've checked and I've checked and I've checked. Please
help!

I have an OpenBSD 4.0 firewall on a public network,
let's say 1.2.3.4. It serves as a firewall/NAT box for
an internal network, 192.168.1.0/24.

There's a server located behind that box, say,
192.168.1.100. I need to create a VPN to that server.
(No, simply using a ssh tunnel won't work for various
reasons!)

Is it possible to create a VPN from an outside Windows
XP Pro machine to our private network using IPSEC?
I've read the man pages and they all say how to create
a VPN between two OpenBSD boxes. Fine, but that's not
what I need. There was a page on openbsd.cz that's not
there anymore.

Please, please help!



_____________________________________________________________________________
_______
Never miss an email again!
Yahoo! Toolbar alerts you the instant new Mail arrives.
http://tools.search.yahoo.com/toolbar/features/mail/

Reply | Threaded
Open this post in threaded view
|

Re: VPN

Matthew Powell - Lists
In reply to this post by stupidmail4me
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

stupidmail4me wrote:

> I've checked and I've checked and I've checked. Please
> help!
>
> I have an OpenBSD 4.0 firewall on a public network,
> let's say 1.2.3.4. It serves as a firewall/NAT box for
> an internal network, 192.168.1.0/24.
>
> There's a server located behind that box, say,
> 192.168.1.100. I need to create a VPN to that server.
> (No, simply using a ssh tunnel won't work for various
> reasons!)
>
> Is it possible to create a VPN from an outside Windows
> XP Pro machine to our private network using IPSEC?
> I've read the man pages and they all say how to create
> a VPN between two OpenBSD boxes. Fine, but that's not
> what I need. There was a page on openbsd.cz that's not
> there anymore.

http://openvpn.net/
http://www.openbsd.org/faq/pf/rdr.html

I love OpenVPN.

Matt
iD8DBQFFtoKYSm+hrfuRXskRAr7DAJ9UQWEoq4hCNb/IklJWIUwwgBCtWwCcDXr8
nfLBkDi6tYtoi3A5pHhib6I=
=9wXg
-----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Re: VPN

Nick Guenther
In reply to this post by stupidmail4me
On 1/23/07, stupidmail4me <[hidden email]> wrote:

> I've checked and I've checked and I've checked. Please
> help!
>
> I have an OpenBSD 4.0 firewall on a public network,
> let's say 1.2.3.4. It serves as a firewall/NAT box for
> an internal network, 192.168.1.0/24.
>
> There's a server located behind that box, say,
> 192.168.1.100. I need to create a VPN to that server.
> (No, simply using a ssh tunnel won't work for various
> reasons!)
>
> Is it possible to create a VPN from an outside Windows
> XP Pro machine to our private network using IPSEC?
> I've read the man pages and they all say how to create
> a VPN between two OpenBSD boxes. Fine, but that's not
> what I need. There was a page on openbsd.cz that's not
> there anymore.
>
> Please, please help!

You mean, how to set up IPSec on windows? 1 second on google found me:
http://www.microsoft.com/technet/network/ipsec/default.mspx
Have fun

-Nick

Reply | Threaded
Open this post in threaded view
|

Re: VPN

Jean-Daniel Beaubien-2
In reply to this post by stupidmail4me
I tried setting up a VPN between WinXP and a litle Linksys VPN router
and the WinXP VPN capabilities were really horrible (the config tools
too).  So I found this program called SSH Sentinel which worked right
away for me.  But I repeat, I was connecting to a Linksys VPN Router,
not OpenBSD so YMMV.

Simply enter 'SSHSentinel1.3.2.2.exe' in google and you should find
quite a few links to download it.  That version was free, but the
company stopped releasing it to make more money or something so it's
not the latest, but it worked very well for me.

Jd

On 1/23/07, stupidmail4me <[hidden email]> wrote:

> I've checked and I've checked and I've checked. Please
> help!
>
> I have an OpenBSD 4.0 firewall on a public network,
> let's say 1.2.3.4. It serves as a firewall/NAT box for
> an internal network, 192.168.1.0/24.
>
> There's a server located behind that box, say,
> 192.168.1.100. I need to create a VPN to that server.
> (No, simply using a ssh tunnel won't work for various
> reasons!)
>
> Is it possible to create a VPN from an outside Windows
> XP Pro machine to our private network using IPSEC?
> I've read the man pages and they all say how to create
> a VPN between two OpenBSD boxes. Fine, but that's not
> what I need. There was a page on openbsd.cz that's not
> there anymore.
>
> Please, please help!
>
>
>
> ____________________________________________________________________________________
> Never miss an email again!
> Yahoo! Toolbar alerts you the instant new Mail arrives.
> http://tools.search.yahoo.com/toolbar/features/mail/

Reply | Threaded
Open this post in threaded view
|

Re: VPN

Jacob Yocom-Piatt
In reply to this post by test-17
test wrote:
> I am in the same scenario to be honest, just haven't really started digging
> that deep.
>
> If someone can provide this information we'd be GREATLY appreciative!
>  

this has been beaten to death, please search the archives.

> I've checked and I've checked and I've checked. Please
> help!
>
> I have an OpenBSD 4.0 firewall on a public network,
> let's say 1.2.3.4. It serves as a firewall/NAT box for
> an internal network, 192.168.1.0/24.
>
> There's a server located behind that box, say,
> 192.168.1.100. I need to create a VPN to that server.
> (No, simply using a ssh tunnel won't work for various
> reasons!)
>
> Is it possible to create a VPN from an outside Windows
> XP Pro machine to our private network using IPSEC?
> I've read the man pages and they all say how to create
> a VPN between two OpenBSD boxes. Fine, but that's not
> what I need. There was a page on openbsd.cz that's not
> there anymore.
>
> Please, please help!

Reply | Threaded
Open this post in threaded view
|

Re: VPN

Chris Lawder
In reply to this post by stupidmail4me
Hi,

I used the following documentation to figure this type of vpn out the first
time. It was my starting point.

http://www.cs.umd.edu/~mvanopst/xp2obsd.pdf

It talks about using Certificate Authentication but much of the doc can be
skipped if you want to use shared key auth instead.

The windows vpn client took me a bit to wrap my head around (more so than the
obsd side of it) but I found this doc explained it pretty well. Thegreenbow
also worked well for us as a client side winxp vpn app.

What the doc didn't explain to me was how to config the firewall for the
ipsec/isakmpd vpn. To figure out that part I did lots of:

        tcpdump -e -vvv -i pflog0

And I can't forget the multiple readings of "man ipsec" and all the further
man pages in ipsec's "SEE ALSO" section.

Hope that all helps you some... It's what got me up and working. Wasn't the
easiest thing I've ever done on a 'puter but sure felt good when I saw that
first valid connection =)

Cheers,

Chris

On Tuesday 23 January 2007 12:06, stupidmail4me wrote:

> I've checked and I've checked and I've checked. Please
> help!
>
> I have an OpenBSD 4.0 firewall on a public network,
> let's say 1.2.3.4. It serves as a firewall/NAT box for
> an internal network, 192.168.1.0/24.
>
> There's a server located behind that box, say,
> 192.168.1.100. I need to create a VPN to that server.
> (No, simply using a ssh tunnel won't work for various
> reasons!)
>
> Is it possible to create a VPN from an outside Windows
> XP Pro machine to our private network using IPSEC?
> I've read the man pages and they all say how to create
> a VPN between two OpenBSD boxes. Fine, but that's not
> what I need. There was a page on openbsd.cz that's not
> there anymore.
>
> Please, please help!
>
>
>
> ___________________________________________________________________________
>_________ Never miss an email again!
> Yahoo! Toolbar alerts you the instant new Mail arrives.
> http://tools.search.yahoo.com/toolbar/features/mail/

--
..:::.::.:....::::....:.:...

Number 41 Media Corporation
First Floor - 612 View Street
Victoria BC V8W 1J5

T 250.414.0410
F 250.414.0411

number41media.com

Reply | Threaded
Open this post in threaded view
|

Re: VPN

test-17
In reply to this post by Nick Guenther
Think the other way around.  I'd like to be able to configure my OpenBSD
firewall to also act as a "VPN Gateway", so I can connect to that from XP Pro
remotely using the external IP, so I can access resources inside my network.
I used to use a Server 2003 box sitting inside the network, but have since
turned that box into a FC5 workstation.

I'd looked all over for a way to do that but can't seem to make it work.

________________________________

From: [hidden email] on behalf of Nick Guenther
Sent: Tue 1/23/2007 4:51 PM
To: OpenBSD-Misc
Subject: Re: VPN



On 1/23/07, stupidmail4me <[hidden email]> wrote:

> I've checked and I've checked and I've checked. Please
> help!
>
> I have an OpenBSD 4.0 firewall on a public network,
> let's say 1.2.3.4. It serves as a firewall/NAT box for
> an internal network, 192.168.1.0/24.
>
> There's a server located behind that box, say,
> 192.168.1.100. I need to create a VPN to that server.
> (No, simply using a ssh tunnel won't work for various
> reasons!)
>
> Is it possible to create a VPN from an outside Windows
> XP Pro machine to our private network using IPSEC?
> I've read the man pages and they all say how to create
> a VPN between two OpenBSD boxes. Fine, but that's not
> what I need. There was a page on openbsd.cz that's not
> there anymore.
>
> Please, please help!

You mean, how to set up IPSec on windows? 1 second on google found me:
http://www.microsoft.com/technet/network/ipsec/default.mspx
Have fun

-Nick

Reply | Threaded
Open this post in threaded view
|

Re: VPN

fuzzyping
In reply to this post by Jean-Daniel Beaubien-2
On Jan 23, 2007, at 4:52 PM, Jean-Daniel Beaubien wrote:

> I tried setting up a VPN between WinXP and a litle Linksys VPN router
> and the WinXP VPN capabilities were really horrible (the config tools
> too).  So I found this program called SSH Sentinel which worked right
> away for me.  But I repeat, I was connecting to a Linksys VPN Router,
> not OpenBSD so YMMV.
>
> Simply enter 'SSHSentinel1.3.2.2.exe' in google and you should find
> quite a few links to download it.  That version was free, but the
> company stopped releasing it to make more money or something so it's
> not the latest, but it worked very well for me.

To be historically accurate, SSH Sentinel was purchased by SafeNet.  
SafeNet already had their own line of VPN client software  
(SoftRemote), so Sentinel was discontinued.

http://www.ssh.com/company/news/article/484/

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Reply | Threaded
Open this post in threaded view
|

Re: VPN

Vijay Sankar
In reply to this post by test-17
On 4:12 pm 01/23/07 "test" <[hidden email]> wrote:
> Think the other way around.  I'd like to be able to configure my
> OpenBSD firewall to also act as a "VPN Gateway", so I can connect to
> that from XP Pro remotely using the external IP, so I can access
> resources inside my network. I used to use a Server 2003 box sitting
> inside the network, but have since turned that box into a FC5
> workstation.
>
> I'd looked all over for a way to do that but can't seem to make it
> work.

I found Poptop on OpenBSD to be a good solution. It is most probably not as
secure/configurable as IPSec but if you just like to use default Windows XP
tools and access resources inside the corporate network from the Internet
etc. it may be worth looking into. At a client site, I set up IPSec,
OpenVPN, and Poptop and the admins there prefer poptop due to the lower
overhead in configuring XP. It is in the packages as well so very easy to
set up and test.

Vijay

>
> ________________________________
>
> From: [hidden email] on behalf of Nick Guenther
> Sent: Tue 1/23/2007 4:51 PM
> To: OpenBSD-Misc
> Subject: Re: VPN
>
>
>
> On 1/23/07, stupidmail4me <[hidden email]> wrote:
> >  I've checked and I've checked and I've checked. Please
> >  help!
> >
> >  I have an OpenBSD 4.0 firewall on a public network,
> >  let's say 1.2.3.4. It serves as a firewall/NAT box for
> >  an internal network, 192.168.1.0/24.
> >
> >  There's a server located behind that box, say,
> >  192.168.1.100. I need to create a VPN to that server.
> >  (No, simply using a ssh tunnel won't work for various
> >  reasons!)
> >
> >  Is it possible to create a VPN from an outside Windows
> >  XP Pro machine to our private network using IPSEC?
> >  I've read the man pages and they all say how to create
> >  a VPN between two OpenBSD boxes. Fine, but that's not
> >  what I need. There was a page on openbsd.cz that's not
> >  there anymore.
> >
> >  Please, please help!
>
> You mean, how to set up IPSec on windows? 1 second on google found me:
> http://www.microsoft.com/technet/network/ipsec/default.mspx
> Have fun
>
> -Nick
>
>
> !DSPAM:1,45b68e2e102821879814018!



Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone +1 (204) 885-9535, E-Mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

PlayStation 3

Abraham Rolick
In reply to this post by stupidmail4me
I do apologize in advance if this is not appropriate discussion for this
list, but I've been having problems with my PS3 sitting behind my
OpenBSD 4.0 machine with pf using nat.

Until I do some more "reverse engineering" (in a sense) on how this
retarded PS3 actually works on a network, I won't bother asking any
technical questions about why something may or may not be working.

Rather, my question is, have any of you successfully configured pf to
allow your PS3 to join hosted games more than 0.1 percent of the time?
If you feel this is unfit for discussion on misc@, feel free to just
email me directly.  Thanks!

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf
Of stupidmail4me
Sent: Tuesday, January 23, 2007 12:06 PM
To: [hidden email]
Subject: VPN

I've checked and I've checked and I've checked. Please
help!

I have an OpenBSD 4.0 firewall on a public network,
let's say 1.2.3.4. It serves as a firewall/NAT box for
an internal network, 192.168.1.0/24.

There's a server located behind that box, say,
192.168.1.100. I need to create a VPN to that server.
(No, simply using a ssh tunnel won't work for various
reasons!)

Is it possible to create a VPN from an outside Windows
XP Pro machine to our private network using IPSEC?
I've read the man pages and they all say how to create
a VPN between two OpenBSD boxes. Fine, but that's not
what I need. There was a page on openbsd.cz that's not
there anymore.

Please, please help!


 
________________________________________________________________________
____________
Never miss an email again!
Yahoo! Toolbar alerts you the instant new Mail arrives.
http://tools.search.yahoo.com/toolbar/features/mail/

Reply | Threaded
Open this post in threaded view
|

Re: PlayStation 3

Jeroen Massar
Abraham Rolick wrote:

> I do apologize in advance if this is not appropriate discussion for this
> list, but I've been having problems with my PS3 sitting behind my
> OpenBSD 4.0 machine with pf using nat.
>
> Until I do some more "reverse engineering" (in a sense) on how this
> retarded PS3 actually works on a network, I won't bother asking any
> technical questions about why something may or may not be working.
>
> Rather, my question is, have any of you successfully configured pf to
> allow your PS3 to join hosted games more than 0.1 percent of the time?
> If you feel this is unfit for discussion on misc@, feel free to just
> email me directly.  Thanks!

The key in getting it to work is "UPNP", thus something like:

http://upnp.sourceforge.net/
http://linux-igd.sourceforge.net/

Most 'normal' NAT's nowadays support it, most Windows boxes use it etc,
thus most homes have it and it enables the opening of ports on the NAT
box so that they get forwarded to the internal box that requests it

See amongst others:
http://forums.linksys.com/linksys/board/message?board.id=Wireless_Routers&mes
sage.id=18300

As most parts of the world can't even get PS3's: enjoy it ;)

Greets,
 Jeroen

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re: PlayStation 3

jared r r spiegel
In reply to this post by Abraham Rolick
On Tue, Jan 23, 2007 at 05:06:20PM -0800, Abraham Rolick wrote:
>
> Rather, my question is, have any of you successfully configured pf to
> allow your PS3 to join hosted games more than 0.1 percent of the time?
> If you feel this is unfit for discussion on misc@, feel free to just
> email me directly.  Thanks!

  if the ps3 games are like the ps2 games i poked with, ensure
  to use 'static-port' on the nat rules applicable to the outgoing
  traffic for the game.

Reply | Threaded
Open this post in threaded view
|

Re: PlayStation 3

Damien Miller
In reply to this post by Jeroen Massar
On Wed, 24 Jan 2007, Jeroen Massar wrote:

> The key in getting it to work is "UPNP", thus something like:
>
> http://upnp.sourceforge.net/
> http://linux-igd.sourceforge.net/

a more OpenBSDish implementation seems to be http://miniupnp.free.fr/

NB. I have never used it, or any for of uPNP (nor would I)

Reply | Threaded
Open this post in threaded view
|

Re: VPN

Toni Mueller-10
In reply to this post by fuzzyping
Hi,

On Tue, 23.01.2007 at 17:14:56 -0500, Jason Dixon <[hidden email]> wrote:
> On Jan 23, 2007, at 4:52 PM, Jean-Daniel Beaubien wrote:
> >Simply enter 'SSHSentinel1.3.2.2.exe' in google and you should find
> >quite a few links to download it.  That version was free, but the
> >company stopped releasing it to make more money or something so it's
> >not the latest, but it worked very well for me.

this version of SSH Sentinel should have a number of glaring security
holes (because the 1.4 versions had), and also a number of very
desirable features missing, like support for recent crypto algorithms.

If you're going to make a VPN, you're probably interested in preventing
unauthorized access to it, right? So please consider what it will cost
you if that happens, and find a decent VPN client package.

> To be historically accurate, SSH Sentinel was purchased by SafeNet.  
> SafeNet already had their own line of VPN client software  
> (SoftRemote), so Sentinel was discontinued.

Yes. I never understood that decision because the SoftRemote seemed to
be much inferior to me at that time.


Best,
--Toni++

Reply | Threaded
Open this post in threaded view
|

Re: PlayStation 3

marc-36
In reply to this post by jared r r spiegel
check my msg below for the xbox360 on the pf list:

0.33 is the xbox ip, the port must be different for ps3
but static port is the solution
---------------------------------------

clinton sigmon find the solution of the problem
thank you guy
i put to the list for archive purpose and help someone:

put the nat rules in first before other nat rules:

nat on rl0 from 192.168.0.33 to any -> (rl0) static-port


ant the other rules:

rdr on rl0 inet proto udp from any to rl0 port 88 -> 192.168.0.33
rdr on rl0 inet proto { tcp, udp } from any to rl0 port 3074 -> 192.168.0.33

pass in quick on rl0 inet proto udp from any to 192.168.0.33 port 88 keep state
pass in quick on rl0 inet proto {tcp, udp} from any to 192.168.0.33 port 3074 keep state

first time i need help for pf, a great and easy firewall :)
and must say that i'm very happy with openbsd since 2.7..(nerver forget to buy a cd set)!

thanks to the other people who help me too.
------------------------------------------------------------