Re: Linux/Windows pure SSL "VPN" Solution

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jun 02, 2004 at 02:10:08PM -0400, Small, Jim wrote:
> I have a situation (common) where I need access to my corporate network, but
> the vendor will only allow traffic over ports 80 and 443.  The vendor would
> like me to do an SSL VPN as they do not want to open other ports (read--no
> IPSec).  I would like to do a Linux proof of concept solution using iptables
> and some sort of Open Source SSL VPN (Linux server sitting on the Internet
> or in one of our DMZs).

> This looks promising:  http://www.hsc.fr/ressources/outils/ssltunnel/
> It's just what I'm looking for but it doesn't support Windows clients.

	When I've been forced to do this, I generally use ppp over stunnel,
<www.stunnel.org>.  There are Windows binaries for stunnel, but getting
ppp running on that side may be a challenge.

	My general preference is IPSec NAT-T, which runs over 500/udp
and then 4500/udp, when straight IPSec (IP 50/51) is blocked but UDP
is open.

	Worse comes to worse, check out CCTT.  The Covert Channel Tunneling
Tool.  Lots of goodies in that set for tunneling under the worst of
circumstances.

	Which ever I use, I then layer IPv6 over top of that transport
and then have a complete routable addressable infrastructure I can access.

> I've looked at OpenVPN, CIPE, and vTun, but none of them appear to work only
> over port 443.  OpenVPN works over 443, but also requires UDP/5000 which is
> not possible.

	They have all UDP ports blocked (in bound and out bound)?  That
could be challenging, then.  Generally, once you initiate a connection
from the inside out, you can keep the ports open.  IPSec NAT-T seems
to include a keep-alive that keeps NAT tables fresh once the SAs are
established.

> Does anyone know of a pure (TCP/443 only) SSL Open Source solution?

> Thanks,
>    <> Jim

> PS  I realize this is not a pure iptables question, so I'm prepared for
> flames...  ;-)

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@xxxxxxxxxxxx
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Attachment: pgp00885.pgp
Description: PGP signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux