[SunHELP] IPSec and firewalls

Big Endian sunhelp at sunhelp.org
Wed Mar 7 10:17:39 CST 2001 

>the current VPN at work does not allow me to get my job done from home. i have
>gotten the go ahead from work to setup an IPSec tunnel with the understanding
>that they will not modify their firewall at all.  so, is this possible given
>the following setup:
>
>Solaris 8 machine at work, has complete access to the internet, does not exist
>on the internet, behind a firewall and NAT.
>
>Solaris 8 machine at home, sits behind an IPFILTER firewall/NAT box that i can
>configure any way i please (without comprimising security of course)
>
>i don't know a whole lot about IPSec, so, is it possible to have the machine
>at work initiate the tunnel so that it can get out of the firewall and connect
>to my home machine?  on what port would it be connecting to so i can allow
>a connection to that port and redirect it to the correct machine at home.
>
>thanks!!!!
>
>-brian
>_______________________________________________
>SunHELP maillist  -  SunHELP at sunhelp.org
>http://www.sunhelp.org/mailman/listinfo/sunhelp

I use freeS/WAN (www.freeswan.org) here at the office as a vpn 
between our office and our hosting center.  FreeS/WAN is a patch to 
the linux kernel that implements IPSec in kernel space.

IPSec and NAT are ALMOST mutually incompatible.  IPSec IKE (Internet 
Key Exchange) is on UDP/500 but that is only half the issue.  The 
actually "tunnel" is actually an extra route that has to be added via 
the new ipsecX interface.  The packets going out of the ipsec 
interface are encapsulated in an ip packet with a few options.  The 
two major parts of IPSec are encryption and authentication.  The 
encryption is done via ESP and the authentication can be done via AH 
or ESP.  The encryption portion of ESP works OK with NAT however the 
authentication is md5 or sha1 signed portions of the packet's IP 
header.  This means that when the NAT host modifies your packets the 
recieving host's authentication systems will reject them.  I'm not 
sure about solaris 8 IPSec or even the various firewalling sofware 
you're using.  If you're not a network person then I DON"T recommend 
the IETF docs.  hope this helps.

Daniel Mayfield

More information about the SunHELP mailing list