Next Previous Contents

4. Configuring the VPN client

4.1 Configuring a MS W'95 client

  1. Set up your routing so that the Linux firewall is your default gateway:
    1. Open Control Panel/Network or right-click "Network Neighborhood" and click on Properties.
    2. Click on the Configuration tab.
    3. In the list of installed network components, double-click on the "TCP/IP -> whatever-NIC-you-have" line.
    4. Click on the Gateway tab.
    5. Enter the local-network IP address of your Linux firewall. Delete any other gateways.
    6. Click on the "OK" button.
  2. Test masquerading. For example, run "telnet my.isp.mail.server smtp" and you should see the mail server's welcome banner.
  3. Install and configure the VPN software. For IPsec software follow the manufacturer's instructions. For MS PPTP:
    1. Open Control Panel/Network or right-click "Network Neighborhood" and click on Properties.
    2. Click on the Configuration tab.
    3. Click on the "Add" button, then double-click on the "Adapter" line.
    4. Select "Microsoft" as the manufacturer and add the "Virtual Private Networking Adapter" adapter.
    5. Reboot when prompted to.
    6. If you need to use strong (128-bit) encryption, download the strong encryption DUN 1.3 update from the MS secure site at http://mssecure.www.conxion.com/cgi-bin/ntitar.pl and install it, then reboot again when prompted to.
    7. Create a new dial-up phonebook entry for your PPTP server.
    8. Select the VPN adapter as the device to use, and enter the PPTP server's internet IP address as the telephone number.
    9. Select the Server Types tab, and check the compression and encryption checkboxes.
    10. Click on the "TCP/IP Settings" button.
    11. Set the dynamic/static IP address information for your client as instructed to by your PPTP server's administrator.
    12. If you wish to have access to your local network while the PPTP connection is up, uncheck the "Use default gateway on remote network" checkbox.
    13. Reboot a few more times, just from habit... :)

4.2 Configuring a MS W'98 client

  1. Set up your routing so that the Linux firewall is your default gateway and test masquerading as described above.
  2. Install and configure the VPN software. For IPsec software follow the manufacturer's instructions. For MS PPTP:
    1. Open Control Panel/Add or Remove Software and click on the Windows Setup tab.
    2. Click on the Communications option and click the "Details" button.
    3. Make sure the "Virtual Private Networking" option is checked. Then click the "OK" button.
    4. Reboot when prompted to.
    5. If you need to use strong (128-bit) encryption, download the strong encryption VPN Security update from the MS secure site at http://mssecure.www.conxion.com/cgi-bin/ntitar.pl and install it, then reboot again when prompted to.
  3. Create and test a new dial-up phonebook entry for your VPN server as described above.

4.3 Configuring a MS W'ME client

I haven't seen one of these yet. I expect the procedure is very similar to that for W'98. Could someone who has done this let me know what, if any, differences there are? Thanks.

4.4 Configuring a MS NT client

Note: this section may be incomplete as it's been a while since I've installed PPTP on an NT system.

  1. Set up your routing so that the Linux firewall is your default gateway:
    1. Open Control Panel/Network or right-click "Network Neighborhood" and click on Properties.
    2. Click on the Protocols tab and double-click on the "TCP/IP" line.
    3. Enter the local-network IP address of your Linux firewall in the "Default Gateway" box.
    4. Click on the "OK" button.
  2. Test masquerading. For example, run "telnet my.isp.mail.server smtp" and you should see the mail server's welcome banner.
  3. Install and configure the VPN software. For IPsec software follow the manufacturer's instructions. For MS PPTP:
    1. Open Control Panel/Network or right-click "Network Neighborhood" and click on Properties.
    2. Click on the Protocols tab.
    3. Click on the "Add" button, then double-click on the "Point-to-Point Tunneling Protocol" line.
    4. When it asks for the number of Virtual Private Networks, enter the number of PPTP servers you could possibly be communicating with.
    5. Reboot when prompted to.
    6. If you need to use strong (128-bit) encryption, download the strong encryption PPTP update from the MS secure site at http://mssecure.www.conxion.com/cgi-bin/ntitar.pl and install it, then reboot again when prompted to.
    7. Create a new dial-up phonebook entry for your PPTP server.
    8. Select the VPN adapter as the device to use, and enter the PPTP server's internet IP address as the telephone number.
    9. Select the Server Types tab, and check the compression and encryption checkboxes.
    10. Click on the "TCP/IP Settings" button.
    11. Set the dynamic/static IP address information for your client as instructed to by your PPTP server's administrator.
    12. If you wish to have access to your local network while the PPTP connection is up, see MS Knowledge Base article Q143168 for a registry fix. (Sigh.)
    13. Make sure you reapply the most recent Service Pack, to ensure that your RAS and PPTP libraries are up-to-date for security and performance enhancements.

4.5 Configuring for network-to-network routing

Yet to be written.

You really ought to look at FreeS/WAN (IPsec for Linux) at http://www.xs4all.nl/~freeswan/ instead of masquerading.

4.6 Masquerading Checkpoint SecuRemote-based VPNs

It is possible to masquerade Checkpoint SecuRemote-based VPN traffic under certain circumstances.

First, you must configure the SecuRemote firewall to allow masqueraded sessions. On the SecuRemote firewall do the following:

  1. Run fwstop
  2. Edit $FWDIR/conf/objects.C and after the ":props (" line, add or modify the following lines to read:
    :userc_NAT (true) 
    :userc_IKE_NAT (true)
    
  3. Run fwstart
  4. Re-install your security policy.
  5. Verify the change took effect by checking both $FWDIR/conf/objects.C and $FWDIR/database/objects.C

If you use the IPsec protocols (called "IKE" by CheckPoint) you don't have to do anything else special to masquerade the VPN traffic. Simply configure your masquerading gateway to masquerade IPsec traffic as described above.

Checkpoint's proprietary FWZ protocol is more complicated. There are two modes that FWZ can be used in: encapsulated mode and transport mode. In encapsulated mode, integrity checking is done over the whole IP packet, just as in IPsec's AH protocol. Changing the IP address breaks this integrity guarantee, thus encapsulated FWZ tunnels cannot be masqueraded.

In transport mode, only the data portion of the packet is encrypted, and the IP headers are not verified against changes. In this mode, masquerading should work with the modifications described above.

The configuration for encapsulated or transport mode is done in the FireWall-1 GUI. In the network object for the Firewall, under the VPN tab, edit the FWZ properties. The third tab in FWZ properties allows you to set encapsulated mode.

You will only be able to masquerade one client at a time.

Further information can be found at:


Next Previous Contents