routing to a second router with PF

From: David Magda (dmagda+trace040726_at_ee.ryerson.ca)
Date: 08/30/04 

Date: 30 Aug 2004 10:55:54 -0400

Hello,

I would like to know whether the following scenario is possible with
OpenBSD (3.3, for now):

   Machine(s) ----|
                  | Client's
                  |--- OBSD GW ------- Internet ---- VPN GW
                  |
    Linksys VPN --|
      Router

A client of ours wants us to connect to their internal network
(maintenance / monitoring) through a VPN instead of using SSH. I need
to know whether it is possible to have the internal machines send
regular packets to the OBSD GW, have it redirect them to a Linksys
VPN router (which encrypts the packets), and send the IPsec packets
to the client's VPN GW. The internal machines run Windows XP (WXP)
Home.

Replies from the client's VPN GW should also back through this
convoluted path.

Another option be to attempt give the WXP boxes another route through
DHCP: send all packets for the client's internal network to the
Linksys VPN without hitting the OpenBSD GW.

It is technically possible, but it would probably be less hassle to
try to get OpenBSD routing working than messing with Windows routing
(I'm don't have much experience with advanced Windows features).

Thanks for any info.

P.S. I know OBSD GW can do IPsec very well, but for now I'm using
with the Linksys. (Mostly because the OBSD GW is probably
underpowered for IPsec (Pentium 200 MHz, 64MB RAM).) The Linksys
would also do some NATing so the client wouldn't really be able to go
back into our network. 

-- 
David Magda <dmagda at ee.ryerson.ca>, http://www.magda.ca/
Because the innovator has for enemies all those who have done well under
the old conditions, and lukewarm defenders in those who may do well 
under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI

Relevant Pages

  • Re: Expectation from VPN (sbs2003premSp1)
    ... A connection between the VPN server and the VPN client 222.152.16.132 has ... your VPN server and the Internet allow GRE packets. ...
    (microsoft.public.windows.server.sbs)
  • A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vu
    ... DNS transaction ID (OpenBSD ported BIND 9 into their code tree, ... fragmentation ID normalization feature (e.g. "scrub out random- ... packets and raw IP packets. ...
    (Bugtraq)
  • [REVS] OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability
    ... Recently Amit'has been looking at the OpenBSD PRNG implementation for DNS ... also use this PRNG for IP fragmentation ID normalization feature (e.g. ... in "regular" IP packets and raw IP packets. ... o Idle-scanning, O/S fingerprinting, host alias detection, traffic ...
    (Securiteam)
  • Re: VPN Problems
    ... I thought the issue was cured when I upgraded the firmware of the Linksys ... but, whilst the VPN would connect fine, it would send packets like a good ... on the Linksys router and everything works now. ... Have you run the Configure Remote Access wizard from the Internet and E-Mail ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN for SCO OSR 5.0.6 ???
    ... >firmware for various wireless routers. ... >I have several pairs of BEFVP41 VPN routers terminating a VPN at ... >various customers. ... we're now using instead of the LinkSys box that's been acting up recently. ...
    (comp.unix.sco.misc)