[pptp-server] [off-topic] PPTP on a 2 layer firewall
Shanker Balan
shanu at exocore.com
Mon Oct 15 00:09:05 CDT 2001
Hello:
What is "the" way to add VPN to a network? My client has a 2 layer
firewall setup comprising of 2 Linux boxes.
The network looks like this:
+-------------+ +------------+ +-------+
Internet -> | Firewall-1 | 10.0.0.x | Firewall-2 | 192.168.x.x | LAN |
| PopTop |--------->| |------------>| |
+-------------+ +------------+ +-------+
In the current setup, the PPTP VPN connection lands on Firewall-1 and
gets an IP address in the 10.0.1.x segment. Firewall 2 will only accept
packets from Firewall 1 (10.0.0.x segment). Since the VPN connection is
on a another subnet all together (10.0.1.x), i have to masquerade the
VPN connection so that Firewall-2 will accept it. I have to masquerade
it once again on Firewall 2 as the LAN is again on another network
altogether - 192.168.x.x.
VPN -> Firewall-1 (NAT) -> Firewall-2 (NAT) -> LAN
Some of the short comings i see with this setup are the following:
- This setup makes the firewall redundant. I can directly access any
machine on the LAN from Firewall-1 as Firewall-2 masquerades all
connections from Firewall-1
- Cannot track VPN user access. Since the VPN connection is NAT'ed over twice
(once on Firewall-1 and then again on Firewall-2), all connections made
to the LAN have their originating IP set to Firewall-2.
- Cannot put access controls on VPN users
Don't ask me my things were done this way but the damage has been done.
Now, how do i replace this setup to a more "secure" one?
Should i port forward PPTP ports onto Firewall-2 and then give the VPN
connection an address in the 192.168.x.x range? Will dedicating a
separate VPN box for exclusively handling VPN traffic increase security?
It would be great if i could get some VPN implementation details from
people running VPN on a 2 layer firewall setup. IOW, how do the pros do
it? :)
Any help greatly appreciated.
-- Shanu
--
Princess Leia Organa:
Help me, Obi-wan Kenobi. You're my only hope.
More information about the pptp-server
mailing list