Firewall Wizards mailing list archives
IPSec between TIS Gauntlet and Raptor Eagle
From: "Paul L. Rogers" <rogerspl () datasync com>
Date: Thu, 11 Jun 1998 21:00:07 -0500 (CDT)
Good Morning/Evening/...! We are attempting to establish an IPSec VPN between a Gauntlet 4.1 with GVPN 4.1 system (BSD 3.0) and a Raptor 4.x system (Solaris). I'm the guy on the Gauntlet end. Data has been changed in the included examples to protect the guilty (me!). Our "configuration": 10.42.42.x--Raptor---Internet---Gauntlet---208.42.42.x Other Net |-209.42.42.1 |-210.42.42.1 <--Outside Interface Pauls Net IP Addresses We have had success with establishing what TIS calls a "Trusted Link" between the two sites. For example, I can telnet to a remote host (10.42.42.5) from a local host (208.42.42.10) with the packets between the Raptor and the Gauntlet encrypted. In this case, 10.42.42.5 should be receiving packets with a source IP address of 208.42.42.10. However, my desire is to create a configuration that corresponds with what TIS calls a "Private Semi-trusted Link" (the Raptor site trusts the Gauntlet site totally, but the tunnel should terminate at the external interface of the Gauntlet with all traffic being passed through the Gauntlet proxies). I believe that this implies that at the Gauntlet end that two IPSec definitions need to be made: 1) Gauntlet (210.42.42.1/32) to Raptor (209.42.42.1/32) 2) Gauntlet (210.42.42.1/32) to network (10.42.42.0/24) Using gauntlet-admin, I have set up the following definitions: Private Links Don't forget to define the Remote Firewall as a Private Link as well as the Remote networks behind that Firewall. Type Local Name Remote Name ---------------------------------------------------------- IPsec Pauls Gauntlet Other Ends Raptor IPsec Pauls Net Other Net Return to Previous Menu Add New Link
==========================================================<
Edit Private Encryption Links ----------------------------- Local Network Name: Pauls Gauntlet Local Network Address: 210.42.42.1:255.255.255.255 Remote Network Name: Other Ends Raptor Remote Network Address: 209.42.42.1:255.255.255.255 Gateway Address: 209.42.42.1 Packet Format: AH over ESP Tunnel without anti-replay Encryption Algorithm: DES IV Length: 32 bit Authentication Algrthm: HMAC-MD5 Inbound Crypt Key: 3030303030303038 Outbound Crypt Key: 3030303030303037 Inbound Auth Key: 3030303030303036 Outbound Auth Key: 3030303030303035 Inbound ESP SPI (hex): 1008 Outbound ESP SPI (hex): 1007 Inbound AH SPI (hex): 1006 Outbound AH SPI (hex): 1005
==========================================================<
Edit Private Encryption Links ----------------------------- Local Network Name: Pauls Local Network Address: 210.42.42.1:255.255.255.255 Remote Network Name: Other Ends Remote Network Address: 10.42.42.0:255.255.255.0 Gateway Address: 209.42.42.1 Packet Format: AH over ESP Tunnel without anti-replay Encryption Algorithm: DES IV Length: 32 bit Authentication Algrthm: HMAC-MD5 Inbound Crypt Key: 3030303030303034 Outbound Crypt Key: 3030303030303033 Inbound Auth Key: 3030303030303032 Outbound Auth Key: 3030303030303031 Inbound ESP SPI (hex): 1004 Outbound ESP SPI (hex): 1003 Inbound AH SPI (hex): 1002 Outbound AH SPI (hex): 1001
==========================================================<
With this configuration, I can telnet from the the Gauntlet (210.42.42.1) to the Raptor (209.42.42.1) with the traffic encrypted. I can also telnet from a local host (208.42.42.10) to the Raptor (209.42.42.1) (which of course is equivalent to telneting from the Gauntlet since I'm going through the telnet proxy). However if I attempt to telnet from a local host (208.42.42.10) to the remote host (10.42.42.5), the connection fails and I *think* that the Raptor complains about "no defined endpoint". Am I on the right track or have I missed something? Has anyone accomplished this with either a Raptor or Checkpoint box on the far end? Thanks for your help! Paul... Paul L. Rogers RogersPL () datasync com Are you prepared for NetDay? http://www.netday.org Linux: It works for me. http://sunsite.unc.edu/LDP/
Current thread:
- IPSec between TIS Gauntlet and Raptor Eagle Paul L. Rogers (Jun 12)
- RE: IPSec between TIS Gauntlet and Raptor Eagle Dale Lancaster (Jun 13)