LISTSERV - HP3000-L Archives

HP3000-L Archives

February 2000, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L February 2000, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: IPsec VPN (was: different IP subnets on the same wire?)
From:	Mark Bixby <[log in to unmask]>
Reply To:	Mark Bixby <[log in to unmask]>
Date:	Sun, 13 Feb 2000 13:46:37 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (58 lines)

Hi HP3000-L,

Thank you for the many quick replies on this topic!

It turns out that I was able to use the best solution of all -- changing the IP
address of the NT machine back to match the rest of my network.

My home configuration is:

Linux (192.168.0.1 internal, 207.xxx.xxx.xxx external) <-- DSL --> Internet
  ^
  |
  |
  +---> Win 98 192.168.0.2
  |
  |
  +---> HP 3000 192.168.0.3
  |
  |
  +---> HP JetDirect network LaserJet printer 192.168.0.4
  |
  |
  +---> Win NT 192.168.0.5


I'm running the Linux 2.2.14 kernel with IP masquerade in order to let the
internal machines be able to initiate external connections to the outside
world (the masquerade feature "borrows" unused ports from the 207.xxx.xxx.xxx
external address).  Because the internal machines are all using addresses in
the private 192.168.0.x subnet, the outside world cannot attack them (well,
unless of course the outside world manages to break into the Linux box
itself).

The multiple subnet issue arose when I started connecting to the HP
15.xxx.xxx.xxx intranet over my DSL connection via an IPsec VPN client running
on the NT machine.  Unfortunately IPsec isn't supported by standard Linux IP
masquerade, so I had to get another real 207.xxx.xxx.xxx IP address from my
ISP, assign it to the NT machine doing the IPsec, and configure the Linux
firewall to forward packets to/from the new address unmolested.  This worked
fine for IPsec VPN, but because the subnet had changed, I could no longer talk
to the 3000.

I did some web searches and turned up a Linux VPN (IPsec+PPTP) masquerade
kernel patch at
ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html.  I installed
the patch yesterday, renumbered my NT machine back to 192.168.0.5, and now the
IPsec works just fine because it's being masqueraded properly.  Plus all of my
machines can talk to each other once again because the subnets are the same.

The one thing I lack right now is the ability of the 3000 to do IPsec.  But
there may someday be a viable Linux VPN client solution that I could install on
the Linux firewall machine that would give all of my LAN, including the 3000,
transparent access to a remote IPsec VPN.  For more details, see
http://www.xs4all.nl/~freeswan/.  It's a little bleeding-edge right now, but I
think it bears watching.

- Mark "opensource operating systems rule!" Bixby

ATOM RSS1 RSS2

RAVEN.UTC.EDU