SLUG Mailing List Archives
[SLUG] Site to Site VPN
- To: slug@xxxxxxxxxxx
- Subject: [SLUG] Site to Site VPN
- From: Peter Rundle <prundle@xxxxxxxxxxxxxxxxxx>
- Date: Sun, 31 May 2009 11:45:11 +1000
- User-agent: Thunderbird 220.127.116.11 (X11/20080505)
I've been asked by a friend to help configure a VPN between a Linux (CentOS) box (which he's given me control of) and a corporate
network accessed via a Juniper Network VPN device.
I'm in need of a few clue sticks and would appreciate some advice about what software to install on the Linux machine and pointers
to good URL's etc to read up on.
The corporate VPN policy only supports network to network VPN's and I have been provided with the following info:
202.X.X.X The IP address of the corporate VPN server,
10.Y.Y.0/24 The private network on the corporate side that will be accessed via the VPN.
************ A Pre-Shared key
Phase 1 Encryption 3DES, Hash SHA,
Phase 2 Encryption 3DES, Hash SHA, PFS
Now I don't have a network on my side, just the one box, so a road warrior config is what is really required but see Corporate
policy above. I have provided the fixed real world IP of the Linux box to them and they are now asking for the address range of my
private network so that they can set up the route on their side to send reply packets back via the Juniper VPN device.
So I'm thinking that I can add a private address or two to the Nic card and using IPtables source nat the packets so that when an
application on the linux box sends a packet to 10.Y.Y.1 I can mangle the packet sufficiently for it to be routed down the VPN and
come back again.
Recommended Linux Software?
Is my idea for the "faux" network on my side realistic?
Open VPN is installed on the Linux box but from what I've read it's talking about public/private key openSSL kinda stuff with a
ca.key, certificates etc, where as this setup is a pre-shared key arrangement. I have a bit of a clue but I'm not exactly VPN Jedi
Knight status so understand the concept of the pre-shared key but not the details of how to configure it with the triple DES, SHA
hash stuff above.