This is my setup:
I (192.168.178.55) am trying to reach a computer from another company (10.6.35.16). The other computer is in a local network with his IPsec client (left site). I am connected via a IPsec Tunnel with my Firewall/router pfsense (right site).
As you can see, the IPSec tunnels are established, but I still cant reach the other computer.
The firewall is open for all IPsec traffic.
2 things i am woundering about:
Shouldn't my client (native Win10 VPN client) have an standard gateway ( see IP-config bottom right)?
Phase 2 of the connection between my client and pfsense is disconnected, is that correct?
Is there anything else I need to configure to let those 2 computers talk?
Related
IPSec can be used in tunnel mode to build VPNs which connect a road-warrior to subnet of hosts through a gateway. This typically makes use of internal IP address spaces, making things complicated. Additionally, all traffic goes through a VPN gateway which is a natural bottleneck.
How can i configure IPSec in a way that my road-warrior connects to any host in this specified subnet using transport mode encryption. Essentially i want to replace a tunnel mode VPN with a separate transport mode VPN to each host in the subnet. Ideally without having separate VPN configuration entries and manual starting of the VPNs. I looked at the strongswan/libreswan documentation, but could not find anything. I imaging a wildcard config with certificate based authentication were all hosts have certificate from a common CA.
Is this not the way the transport mode part of IPSec is supposed to be used? Especially with an all-IPv6 network the additional complexity of private IP ranges is inefficient.
What I'm trying to achieve is:
Connect to a VPN as client and route all my internal network's traffic over the VPN.
Run a VPN server, so that people from outside can connect to my internal network and get routed over the a.m. VPN client.
I'm trying to achieve that with a router running dd-wrt (netgear D6200), and / or a raspberry pi.
Can someone tell me if this can be achieved, and if, direct me to what would be a possible solution?
(I'm not looking for a tutorial, just a direction)
Thanks!
This thread probably does not belong here.
Consider using OpenWRT instead of dd-wrt. OpenWRT gives you a usable build system and easier to customize and build. I am not advocating OpenWRT. This can be a stop gap measure.
You can setup a OpenVPN server and OpenVPN client using the standard
documentation available on OpenWRT Wiki and also OpenVPN site.
Add to OpenVPN server.conf the following directive redirect-gateway def1. This will push the default gateway to clients connecting to OpenVPN server. Further, make sure you are using a unique network IP pool for VPN clients and does not clash with the remove VPN server.
Make sure you are masquerading the VPN traffic (Clients of local VPN server) before forwarding to remove VPN server. This can be tricky as this interface does not exist at boot time. It needs to be configured using up and down scripts
Make sure you are allowing traffic (clients of local VPN Server) on VPN interface to be forwarded in your firewall rules
Before setting up the OpenVPN server, make sure
The remove VPN server is pushing the default gateway to your VPN
client
You have setup the firewall correctly
You are able to reach the cloud through the Remote VPN Server. Checking with some site like www.whatismyip.com will help
Yes this is possible with dd-wrt on Netgear.
There is no need of Raspberry (unless you meant to run the remote VPN server on it).
Configure and run VPN server on dd-wrt - and try connectivity by connecting clients. Both tun/tap should work in general (with VPN client running). I tested with tun.
Configure and run VPN client on dd-wrt and try connecting to your VPN server. By default, the router should start directing all traffic (for its own LAN clients) via the VPN server.
So far so good.
The problem comes when you want dd-wrt's VPN clients (and not just LAN clients) to take the same route. With a VPN client running on dd-wrt, dd-wrt's own VPN clients will not be able to connect to the VPN server running on dd-wrt as such. To make it work, see below.
This is only possible via PBR - i.e. you run VPN client on dd-wrt, but take the router itself off this client, and route only specific clients through this VPN client running on dd-wrt.
With some tweaks using subnet masks, it is possible to include all your LAN and VPN IPs in the PBR policy so that everything (except the router itself) routes through the remote VPN server.
The key is to include dd-wrt's VPN clients' virtual IPs in the PBR. While configuring VPN server on dd-wrt, there is a field for specifying the clients' network and netmask.
If you use this network IP and netmask in client process's PBR policy, your (dd-wrt's) VPN clients will be able to connect to the VPN server running on dd-wrt, and will in turn be routed through the remote VPN server to which dd-wrt is connected as a client.
I have configured my guest VM as described here: https://askubuntu.com/a/293817/503589
Unfortunately I cannot connect to the guest via IP or "localhost", if the Cisco AnyConnect VPN Client is connected on the host (Windows 7).
It works as long as I am not connected with the Cisco VPN AnyConnect Client on the host.
My requirements are the following:
the host should be able to access the guest with it's static IP, whether I am connected to host VPN or not.
I am working remote (WLAN) or in the office (LAN). In the office it's working, because I have no Cisco VPN Client connected.
guest can access the internet
I can move my laptop from network to network (e.g. from home to office to coffeeshop) without worrying about securing or reconfiguring the vm
What I also already tried and what didn't work:
NAT
Bridged
The Cisco VPN client is likely configured for full tunneling. Meaning all traffic is routed through the VPN interface. This is why you are unable to reach other hosts on your LAN.
You might be able to request a split-tunneled profile from your Network team, but it may go against company policy.
In our network a proxy server is used to give all the clients, which are all Windows XP computers, access to the internet. Now, we want setup a Wireless LAN to allow people to connect their own mobile phones, computers, etc. to the internet. However if we simply connect a wireless access point to our network everyone has to configure the proxy server on their devices.
What can I do, that the WLAN router can act as a gateway to the internet using the proxy server?
You can NAT all the traffic destined to port 80 to a proxy machine. This is a so called forced or intercepting proxy.
For example, if you have a RouterOS router, you would simply add a rule
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp to-addresses=<proxy IP address>
If you proxy other protocols apart from HTTP, you would do the same for them changing the port.
Many proxy solutions can run in intercepting mode (such that you have a machine with two network interfaces that filter all the traffic that is coming through). See this tutorial for setting it up with Squid.
Otherwise, if you already have a proxy server you can use the solution above by placing a router or a server running the routing software between the access point and your network, for example Vyatta or Mikrotik RouterOS (commercial but pretty powerful), some open-source/freeware router/firewall distribution (pfSense, Openwall, m0n0wall, ...) or even a vanilla OpenBSD (with pf firewall) / Linux (with iptables) to achieve the desired effect.
Once you get the straight through routing in place it should be pretty straightforward to setup proxy NAT asnoted above.
You should consider applying this setting on the router that your access-point connects to for it may save you the trouble of setting up a new machine.
The scenario is the following. I have two machines A and B:
A: Client (behind NAT)
B: Server (behind NAT)
I want B to be able to listen on any given port, so that A can send packets to B through that specific TCP port and receive any response. If both machines are not behind a NAT it is pretty straight foward process. However how do I make it work so that it works even when B is behind a router, without him having to go change the router configuration enable some port forwarding etc...
For example, how do peer-to-peer programs like torrent clients work without the user having anything to configure?
To answer the example of Peer to Peer programs, and in general: There is a technology called Universal Plug and Play which NAT routers can use to allow clients behind them to expose ports to the outside. That's what bittorrent clients can use so the other clients can directly connect to them.
An alternative to a proxy server is a match-making server. Instead of proxying all of the traffic, the match maker just negotiates until the peers can talk to each other. This involves finding the external public IPs of the peers and talking to each one so that the firewall/router knows that the peers wish to communicate.
This is called hole punching and it often has to be done by the match maker rather than the peers themselves. Once the hole are punched though, the match maker can tell the peers about each other and they can communicate directly.
You will have to either:
Set up port forwarding from the nat
gateway in front the server into the machine your server software is running, and have the client
connect to the IP address of that
gateway.
Create a proxy server sitting
inbetween the 2 nat gatewys so both
your server and client can connect
to that. Both your server and client
have to set up a connection to that
proxy which will mediate the data
between those 2 connections.
Hole punching is moderately well-understood for UDP communication, but it can be reliably used to set up peer-to-peer TCP streams as well. Here is the well detailed article on both TCP and UDP:
http://www.brynosaurus.com/pub/net/p2pnat/