Topic: ESP, VPN, Kernel Upgrade

[Matt Goss]

Hi there!


I was about to install a VPN upgrade to my e-smith server allowing internal PC's to connect to VPNs running the ESP protocol (I believe it is quite similar to IPSec ) out on the internet.  The documentation I found for this is at:
http://www.midnightdreary.com/Documents/Linuxhowto/VPN-Masquerade-HOWTO.html

Now, it wants me to re-compile and configure the kernel.  But e-smith doesn't even have gcc, and I'm a very happy e-smith user who doesn't mind just sticking with e-smith modules so that everything works and I don't have any headaches.

So I have two options:
- install egcs and start messing with the kernel
- install a newer version of the kernel from redhat

both of which make me quite nervous
-- though disconnecting my 7 users so 1 user can connect directly to the cable modem to telecommute each day (via a VPN) is more annoying, so I must find a solution.

Any advice?

[Charlie Brady]

Matt Goss wrote:

> Hi there!
> I was about to install a VPN upgrade to my e-smith server
> allowing internal PC's to connect to VPNs running the ESP
> protocol (I believe it is quite similar to IPSec )

Encapsulated Security Payload - it's one component of IPSec.

> So I have two options:
> - install egcs and start messing with the kernel
> - install a newer version of the kernel from redhat

You can install the RedHat 7.0 kernel on e-smith 4.0 on a trial basis. It
seems to work for me. If you are game, and sensible, you should be able to follow this protocol:

Install the kernel (using rpm -iv ...) rather than upgrade the kernel. (In order to do this, you will first need to upgrade rpm to version 3.0.5. You will also need to install a popt rpm. Obtain these from your local RedHat mirror site.)

Install a section like so:

image=/boot/vmlinuz-2.2.16-22
   label=new
   read-only
   root=/dev/hda6

in /etc/lilo.conf, below the "image.." section which is already there.

Run lilo, using "/sbin/lilo -v". If all goes well, then you can type "new" at the lilo prompt, and you will boot the new kernel.

Once the new kernel boots, you can do:

/sbin/modprobe ip_masq_pptp

and up to ten (at any time) of your client systems should be able to do outbound PPTP VPN connections.

If all works happily, you can follow the instructions at http://www.e-smith.org/custom/ to make a custom change to /etc/rc.d/init.d/masq so that ip_masq_pptp is loaded at boot time, and you may remove the original kernel, or make the new kernel the default kernel (see lilo documentation).

Regards

Charlie

[Matt Goss]

Okay, I did everything you suggested:
- Installed the RedHat 7.0 Kernel (2.2.16-22), using rpm -iv
- Upgraded the rpm to 3.0.5 (even though 4.0 is out now)
- Installed popt-1.6-4.i386.rpm
- Modified lilo, then ran lilo with the -v option

Booted up using the 'new' kernel and it booted up fine.
ran the /sbin/modprobe ip_masq_pptp

However, it still doesn't work for my client.

I checked again with the sys admin from the VPN server that my user is trying to connect to and they confirmed the software uses the ESP protocol -- in particular, the software is the Nortel Extranet Client, which uses UDP port 500 both ways.

Any ideas?

[Charlie Brady]

Matt Goss wrote:

> However, it still doesn't work for my client.
>
> I checked again with the sys admin from the VPN server that my
> user is trying to connect to and they confirmed the software
> uses the ESP protocol -- in particular, the software is the
> Nortel Extranet Client, which uses UDP port 500 both ways.
>
> Any ideas?

Yes, your client is an IPSec client, and uses both ESP traffic  (IP protocol 50) and UDP port 500. Masquerading it requires four additional masquerade modules, as detailed in the VPN masquerade HOWTO. There is no support for this in the e-smith server and gateway or in the RedHat 7.0 kernel for IPSec masquerading.

It may be possible for your client to make the connection work by using IP forwarding rules to connect the single client machine to the VPN server they wish to contact (i.e. use specific forwarding, rather than masquerading). A little bit of expertise with ipchains, and modification to the template for /etc/rc.d/init.d/masq should set this up for you.

Regards

Charlie