On Fri, Nov 10, 2006 at 07:11:41PM +0100, Joachim Schipper wrote:
> On Fri, Nov 10, 2006 at 09:34:42AM -0600, Albert Chin wrote:
> > With the following firewall configuration, what recommendations does
> > anyone have for how we should handle VPN? I see two solutions:
> > 1. Forward ipsec from FIREWALL 1 to FIREWALL 2 with isakmpd running
> > on FIREWALL 2.
> > 2. Run isakmpd on FIREWALL 1 and nat the traffic from the VPN
> > network to FIREWALL 2.
> >
> > I like method #2 because it doesn't allow direct access to isakmpd
> > from the Internet.
> >
> > -----------------
> > | INTERNET |
> > --------o--------
> > |
> > |
> > ------------o------------
> > | |(dmz)
> > +--------o FIREWALL 1 o-----
> > | | |
> > | -------------------------
> > |
> > |
> > | -------------------------
> > | | |
> > +--------o FIREWALL 2 |
> > | |
> > -------------------------
> > |(internal network)
>
> I'd just run isakmpd on FW1, especially if the VPN is mostly used to
> access the internal network.
Yes, the VPN will _only_ be used to access the internal network.
> If there happens to be a big bug in isakmpd, you only expose the DMZ;
> and if you misconfigure the firewall, which is a lot more likely, you
> only expose the DMZ.
>
> Of course, if server A is only reachable internally and via VPN, FW2
> must still trust FW1 to only feed it connections to server A that are
> actually initiated by a VPN client. FW2 doing a second layer of
> filtering seems to be the main point of the setup, so handle that.
Yes. On FW2, we'll probably limit VPN connections to ssh, http, imap,
etc.
Expanding on the config some more:
(fxp0)|(internal network - 192.168.0.0/24)
--------o--------
| VPN CLIENT |
--------o--------
|(fxp1 - 1.2.3.4)
|
--------o--------
| INTERNET |
--------o--------
|
|(fxp1 - 1.2.3.5)
------------o------------
192.168.10.1|(fxp0) |(dmz)
+--------o FIREWALL 1 o-----
| | |(fxp2)
| -------------------------
|
|
| -------------------------
| | |
+--------o FIREWALL 2 |
192.168.10.2|(fxp0) |
----------------o--------
(fxp1)|(internal network - 192.168.1.0/24)
If my ipsec.conf on the VPN CLIENT looks like:
ike esp from 1.2.3.4 to 1.2.3.5
ike esp from 1.2.3.4 to 192.168.1.0/24 peer 1.2.3.5
ike esp from 192.168.0.0/24 to 192.168.1.0/24 peer 1.2.3.5
And, on FW1, looks like:
ike passive esp from 1.2.3.5 to 1.2.3.4
ike passive esp from 1.2.3.5 to 192.168.0.0/24 peer 1.2.3.4
ike passive esp from 192.168.1.0/24 to 192.168.0.0/24 peer 1.2.3.4
Then, from the VPN CLIENT, how would an ssh connection to 192.168.1.1,
server A on the internal network behind FW2, work? IPsec would encrypt
the packet between 1.2.3.4 and 1.2.3.5, where it would be unencrypted,
but on the external, fxp1 interface. How do I get 192.168.0.0/24
traffic to the fxp0 interface, from fxp1, when fxp1 is on a private
network between FW1 and FW2?
--
albert chin ([EMAIL PROTECTED])
