LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-12-2003, 02:35 PM   #1
cmisip
Member
 
Registered: Aug 2002
Posts: 189

Rep: Reputation: 30
VPN blocks internet access from laptop


I have a lan with network 192.168.1.0/24 connected to a router DI 614+ which is connected to a cable modem. All my machines are connected to the DI 614+ either via cable or wirelessly. There is only one ethernet interface on each of the machines (except the laptop but I only use eth1 there).
I wanted to increase the security of my laptop's wireless connection to the rest of my network so I setup a vpn from it to one of my other machines in the same network (which houses my data). While it seems to work and I am able to access the other machine on the network via the vpn tunnel, I cannot seem to access the internet from the laptop anymore (well, I can access google.com and do searches with it but the other urls will not resolve, even the links that google returns). If I have ipsec disabled on the laptop, then I can access the internet without problems. This is weird because I think either all dns resolution should work or they should all fail.
There is one message from ipsec_setup when I start my connection : Warning :changing route filtering on eth1 (changing /proc/sys/net/ipv4/conf/eth1/rp_filter from 1 to 0). I dont know if that is significant.

I would appreciate any help
 
Old 07-13-2003, 04:21 AM   #2
Thoreau
Senior Member
 
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167

Rep: Reputation: 45
You are currently routing through your VPN server boxes local cached DNS. You will need to set the freeswan vpn server(local box) to be a DNS server or to allow forwarding of DNS routing via the VPN server config itself. You are connected directly to your box and only your box.

The routing paths/procesesses are determined by what your box serves and by what freeswan server allows to route in/out. Security via wireless at VPN level is hard to do. There is a reason why companies use rotating keys and 128-bit RC5 hardware encryption instead of straight software VPN. It's a headache. But, if you can do it, you've just saved yourself conservatively 8K USD.
 
Old 07-13-2003, 04:05 PM   #3
cmisip
Member
 
Registered: Aug 2002
Posts: 189

Original Poster
Rep: Reputation: 30
Thanks. I sort of figured it out. I think you are right, It was probably cache that I was browsing. Anyway. I was trying to increase the security of my 802.11b connection to the rest of my network. It is a machine to a machine connection in the same subnet both connecting to a D link router 614+ one via wired ethernet(mymythtv), the other via wireless(mylaptop). My router is 192.168.1.1. I have in the wired machine /etc/ipsec.conf

conn road-warrior
left=192.168.1.2 #Left is local which is mymythtv
leftsubnet=192.168.1.0/24 #subnet declaration
leftid=@mymythtv #name of this server, no dns queries
leftrsasigkey=yyyyyyy #this is the public key of mymythtv
leftnexthop= #nothing here, no router in between
right=192.168.1.100 #right is remote which is mylaptop
rightsubnet= #nothing here
rightid=@mylaptop #name of laptop, no dns queries
rightrsasigkey=xxxxxx #this is the public key of mylaptop
rightnexthop= #nothing here, no router in between
auto=add #add this configuration but dont start it automatically


And on the wireless machine /etc/ipsec.conf
conn road-warrior
left=192.168.1.100 #left is local which is the laptop
leftid=@mylaptop #name of laptop, no dns querieswith@
leftrsasigkey=xxxxxxxx...... #this is the public key of mylaptop
leftnexthop= #leave blank, there is no router between
right=192.168.1.2 #right is remote which is mymythtv
rightsubnet=192.168.1.0/24 #mylaptop is allowed to access
rightid=@mymythtv #name of server, no dns queries with@
rightrsasigkey=yyyyyyy...... #this is the public key of mymythtv
rightnexthop= #leave blank, there is no router between
auto=add #add this configuration but dont start it automatically


I was able to bring up the vpn tunnel. When I looked at the routing on mylaptop:

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 192.168.1.2 255.255.255.0 UG 0 0 0 ipsec0
192.168.1.0 * 255.255.255.0 U 0 0 0 ipsec0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.1.1 128.0.0.0 UG 0 0 0 ipsec0
128.0.0.0 192.168.1.1 128.0.0.0 UG 0 0 0 ipsec0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1

Therefore, internet packets are ending in 192.168.1.2. So I decided to test this by enabling ip_forwarding in mymythtv. And that did the trick. Mylaptop now has internet access throught the vpn tunnel.
However I have another question. Looking at the output of tcpdump, I saw that there are ESP packets coming from mylaptop to mymythtv but not from mymythtv to mylaptop. Is this a problem? Can VPN encryption be only one way in the tunnel? Is this even possible or is all traffic in either direction protected in a VPN tunnel? Is my tunnel even setup correctly? Thanks.
 
Old 07-13-2003, 09:47 PM   #4
cmisip
Member
 
Registered: Aug 2002
Posts: 189

Original Poster
Rep: Reputation: 30
I figured it out. My configuration was subnet to host. I needed it to be host to host. I did this by omitting the leftsubnet in mymythtv and rightsubnet in mylaptop. Esp now works in both directions. The VPN tunnel is working. I added forwardcontrol=yes in mymythtv's ipsec.conf so that it turns ipv4 forwarding when ipsec is started and turns it off when it is stopped. Now I have a secure wireless 802.11b connection between mymythtv and mylaptop. Thanks.
 
Old 07-13-2003, 11:49 PM   #5
cmisip
Member
 
Registered: Aug 2002
Posts: 189

Original Poster
Rep: Reputation: 30
And now I managed to get it working with shorewall. I can finally sleep.
 
Old 07-15-2003, 10:51 PM   #6
cmisip
Member
 
Registered: Aug 2002
Posts: 189

Original Poster
Rep: Reputation: 30
looking at the output of tcpdump, I notice that ESP encryption only happens when the source and destination of ip packets is excatly the endpoints of the tunnel. The docs stated this as well, but I had hoped that since mymythtv is ip forwarding packets to the router (to go to the internet), then the ip packets will be encrypted leaving the laptop and decrypted at mymythtv prior to being sent to the router. It looks like the only way to secure all wireless communication from the laptop is to make mymythtv the endpoint of all packets that need to go to the internet which means configuring it as an IP masquerade server. Is there a way to setup a vpn tunnel from any machine in the lan to the router ( a d link 614+)? Or is that a stupid question? Any thoughts? Thanks
 
Old 07-16-2003, 05:33 AM   #7
ckone
Member
 
Registered: Mar 2003
Location: el paso
Distribution: Redhat, Suse, and freebsd
Posts: 90

Rep: Reputation: 15
I hope your aware that this product FreeS/Wan already posted at there website the fact that Airjack can break down this security level of protection....

I figured this out bye reading other post on the Network forum about this same product...

Well good luck....

later...

 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
suse router problem, laptop cannot access internet Th3James Linux - Networking 2 11-27-2005 05:32 AM
Internet access on Toshiba A65 laptop moonrover Linux - Networking 1 01-28-2005 12:36 PM
Steps I need to take to get my laptop internet access via a wireless card? {-_-} Suse/Novell 2 11-18-2004 06:01 PM
guarddog blocks internet access periodically stelmed Slackware 0 02-06-2004 07:44 PM
Toshiba Laptop/Internet Access/docking Kevin5642 Linux - Laptop and Netbook 1 10-15-2003 07:17 AM


All times are GMT -5. The time now is 03:12 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration