VPN - VPN through two firewalls.

Author

VPN through two firewalls.

Kissingfish

2006-07-12, 1:14 am

Hi all..
I'm trying to set up a VPN connection through two firewalls.
My network is as follows:

| Internet | - |firewall| - | DMZ | - | firewall | - | lan |

Obviously I can go from the lan through the firewall, to the DMZ and
through the firewall to the internet.. But you can't go from the DMZ
onto the lan.. Or from the internet to the lan..

I want to know if there's a way I could VPN to the lan so I can use
remotedesktop or VNC to access my computer..

My DMZ has a 192.168.1.x IP range, whilst my LAN has a 192.168.168.x
range.

If I VPN to my first firewall, I won't be able to access anything on
the lan, and if I VPN to the second, well.. I can't get past the first
one..

Anyone ever done something like this before?

Simon

2006-07-12, 7:13 am

Kissingfish wrote:
> Hi all..
> I'm trying to set up a VPN connection through two firewalls.
> My network is as follows:
>
>
> | Internet | - |firewall| - | DMZ | - | firewall | - | lan |
>
> Obviously I can go from the lan through the firewall, to the DMZ and
> through the firewall to the internet.. But you can't go from the DMZ
> onto the lan.. Or from the internet to the lan..
>
> I want to know if there's a way I could VPN to the lan so I can use
> remotedesktop or VNC to access my computer..
>
> My DMZ has a 192.168.1.x IP range, whilst my LAN has a 192.168.168.x
> range.
>
> If I VPN to my first firewall, I won't be able to access anything on
> the lan, and if I VPN to the second, well.. I can't get past the first
> one..
>
> Anyone ever done something like this before?
>
Why not open up the inbound ports for vpn protocols on the outer
firewall so that you can then vpn to the second one ?
simon

Kissingfish

2006-07-12, 7:13 am

Simon wrote:
> Kissingfish wrote:
> Why not open up the inbound ports for vpn protocols on the outer
> firewall so that you can then vpn to the second one ?
> simon

Wouldn't that give the DMZ access to my LAN?

Simon

2006-07-12, 7:13 am

Kissingfish wrote:
> Simon wrote:
>
>
> Wouldn't that give the DMZ access to my LAN?
>
Depends where you are going to terminate the vpn connection. If the
internal firewall can do this then it shouldn't as access from the dmz
to lan will only be available for authenticated users. If you wanted to
VPN direct into your PC (XP pro supports one inbound VPN connection)
then you would need to open the VPN ports inbound on your internal
router as well. It would give the DMZ and internet access to the
internal machine but only on vpn the VPN ports not full access.

Stephen J. Bevan

2006-07-12, 1:12 pm

"Kissingfish" <find.ivan@gmail.com> writes:
> I'm trying to set up a VPN connection through two firewalls.
> My network is as follows:
>
>
> | Internet | - |firewall| - | DMZ | - | firewall | - | lan |
>
> Obviously I can go from the lan through the firewall, to the DMZ and
> through the firewall to the internet.. But you can't go from the DMZ
> onto the lan.. Or from the internet to the lan..
>
> I want to know if there's a way I could VPN to the lan so I can use
> remotedesktop or VNC to access my computer..
>
> My DMZ has a 192.168.1.x IP range, whilst my LAN has a 192.168.168.x
> range.
>
> If I VPN to my first firewall, I won't be able to access anything on
> the lan, and if I VPN to the second, well.. I can't get past the first
> one..
>
> Anyone ever done something like this before?

If both firewalls support IPsec then you could do double tunnelling.
The outer firewall is configured to protect the DMZ subnet and
the inner firewall is set to protect the lan. Thus to connect to the
lan you create an IPsec connection to the outer firewall through which
you create an IPsec connection to the inner firewall and hence the lan.

If that all sounds like too much work try running Hamachi
<http://www.hamachi.cc> on any PCs on the LAN you want to talk to and
on your PC on the internet.

Kissingfish

2006-07-13, 1:14 am

Kissingfish

2006-07-13, 1:14 am

Stephen J. Bevan wrote:
> "Kissingfish" <find.ivan@gmail.com> writes:
>
> If both firewalls support IPsec then you could do double tunnelling.
> The outer firewall is configured to protect the DMZ subnet and
> the inner firewall is set to protect the lan. Thus to connect to the
> lan you create an IPsec connection to the outer firewall through which
> you create an IPsec connection to the inner firewall and hence the lan.
>
> If that all sounds like too much work try running Hamachi
> <http://www.hamachi.cc> on any PCs on the LAN you want to talk to and
> on your PC on the internet.

Is this what you're suggesting?

_____ _____

_____ _____
WAN | | DMZ | | LAN
| | | |
====================| | | |
OUTER tunnel | | | |
----------------------------------------------------
INNER tunnel
----------------------------------------------------
| | | |
====================| | | |
| | | |
|_____| |_____|

Which is quite cool conceptually. I don't know how it would work from
the workstation. I suspect you would need two VPN connections -- one on
top of the physical NIC to connect to the outer firewall, then another
on top of the first VPN "adapter" to connect to the inner firewall.

This would be hard to set up on each workstation, but I think it would
in fact work.

Kissingfish

2006-07-13, 1:14 am

Kissingfish

2006-07-13, 1:14 am

Kissingfish wrote:
> Stephen J. Bevan wrote:
>
>
> Is this what you're suggesting?
>
>
> _____ _____
>
> _____ _____
> WAN | | DMZ | | LAN
> | | | |
> ====================| | | |
> OUTER tunnel | | | |
> ----------------------------------------------------
> INNER tunnel
> ----------------------------------------------------
> | | | |
> ====================| | | |
> | | | |
> |_____| |_____|
>
> Which is quite cool conceptually. I don't know how it would work from
> the workstation. I suspect you would need two VPN connections -- one on
> top of the physical NIC to connect to the outer firewall, then another
> on top of the first VPN "adapter" to connect to the inner firewall.
>
> This would be hard to set up on each workstation, but I think it would
> in fact work.

Well that might not have worked.. =/
Essentially, the outer tunnel ends on the first firewall, but there's
an inner tunnel that goes through both firewalls..

Stephen J. Bevan

2006-07-15, 1:12 am

"Kissingfish" <find.ivan@gmail.com> writes:
> We have hamachi running but it just scares me a bit, as it simply works
> 'too well'..
> Furthermore, the reason why I can't run it is because you can't specify
> individual passwords like you can VPN, and hence disable them at your
> will..

A Hamachi network can have a password so if you create one network per
user then you can disable a user by disabling the network. Exactly
how practical this is depends on how many users you have.

Stephen J. Bevan

2006-07-15, 1:12 am

"Kissingfish" <find.ivan@gmail.com> writes:
> wouldn't it be easier just to have one dynamic tunnel from the client
> to the outer FW and then a peer to peer static VPN from the outer FW to
> the inner FW and just get the outer FW to do the routing?

I suggested the double tunnel approach because I (mis)understood from
a previous reply that you didn't want to creat a permanent link
between the two firewalls. I assumed this was because you were
worried that if outer firewall is compromised then this would then
provide access through your inner firewall over the tunnel.

Stephen J. Bevan

2006-07-15, 1:12 am

"Kissingfish" <find.ivan@gmail.com> writes:
> Is this what you're suggesting?
>
>
> _____ _____
>
> _____ _____
> WAN | | DMZ | | LAN
> | | | |
> ====================| | | |
> OUTER tunnel | | | |
> ----------------------------------------------------
> INNER tunnel
> ----------------------------------------------------
> | | | |
> ====================| | | |
> | | | |
> |_____| |_____|
>
> Which is quite cool conceptually. I don't know how it would work from
> the workstation. I suspect you would need two VPN connections -- one on
> top of the physical NIC to connect to the outer firewall, then another
> on top of the first VPN "adapter" to connect to the inner firewall.
>
> This would be hard to set up on each workstation, but I think it would
> in fact work.

Yes that's what I'm suggesting and it does work, though whether it can
work for you depends on whether you workstation VPN software can
handle it.

Kissingfish

2006-07-17, 1:12 am

Stephen J. Bevan wrote:
> "Kissingfish" <find.ivan@gmail.com> writes:
>
> A Hamachi network can have a password so if you create one network per
> user then you can disable a user by disabling the network. Exactly
> how practical this is depends on how many users you have.

I'm sorry, but what exactly do you mean by one network per user?

Stephen J. Bevan

2006-07-17, 1:12 pm

"Kissingfish" <find.ivan@gmail.com> writes:
> Stephen J. Bevan wrote:
>
> I'm sorry, but what exactly do you mean by one network per user?

In Hamachi a user can name a network and optionally give it a
password. Then the user gives out the name of the network and
password to anyone they want to allow to communicate with them. This
is a many to one model and does not allow revoking the access of
individual users.

So instead of giving the name and password to multiple other users the
user creates multiple networks one for each user they want to allow to
communicate with them. Since each network has a name&password this
provides the same access restrictions as a traditional VPN. The
access of an individual user can be revoked by removing/changing the
password for the network associated with that user.

Kissingfish

2006-07-18, 7:12 pm

Stephen J. Bevan wrote:
> "Kissingfish" <find.ivan@gmail.com> writes:
>
> In Hamachi a user can name a network and optionally give it a
> password. Then the user gives out the name of the network and
> password to anyone they want to allow to communicate with them. This
> is a many to one model and does not allow revoking the access of
> individual users.
>
> So instead of giving the name and password to multiple other users the
> user creates multiple networks one for each user they want to allow to
> communicate with them. Since each network has a name&password this
> provides the same access restrictions as a traditional VPN. The
> access of an individual user can be revoked by removing/changing the
> password for the network associated with that user.

By 'network' do you mean 'virtual' network?
What happens if I've 10 users trying to log on to the same network?

Stephen J. Bevan

2006-07-19, 1:13 am

"Kissingfish" <find.ivan@gmail.com> writes:
> By 'network' do you mean 'virtual' network?
> What happens if I've 10 users trying to log on to the same network?

By 'network' I mean what Hamachi calls a 'network' i.e. its a name and
a password and anyone with the name and password can join the group
and exchange traffic via Hamachi with anyone else who has succesfully
joined the network. If you don't know the name&password then you
can't join and hence exchange any traffic. Thus 10 users can only
successfully log onto the same network if they all have the password.
In your case I'm suggesting you you define a network per user
(technically per pair that want to talk) so that it is never possible
for more than two users -- you and the other user you give the
password to -- to connect to that network. That way, if you want to
stop a user being able to connect to you, you just change the password
for the 'network' you originally gave them access to (or alternately
block them from joining -- I think I saw mention of that feature in
Hamachi >= 1.0 or perhaps the premimum version).