Openswan Network Traversal

2004-06-20 Other

A while ago I posted that I had managed to get a VPN between Checkpoint NG and a smoothwall personal firewall. This setup was a rather regular one, with Express 2.0 release of smoothwall and r54 checkpoint running on a Nokia with the latest security patches enabled.

I’ve actually updated and had an even easier time with openswan on the same setup and for ease of administration through the Smoothwall web gui I installed the modification VPN pack 3. This is great when both ends of the firewall have public IP addresses on the outside, but what happens when they are nat’td?. As it happens this is the same setup that I wanted to achieve with another network.

Firstly as I am using fairly standard linux tools on the smoothwall end there is no reason that you can’t set this up on anything that supports openswan and NAT traversing. Secondly the checkpoint was still on a fixed public IP and I haven’t tested this on anything else.

The easiest way of setting this up was to install the network traversal patched kernel which provides the 2.4.26 kernel with a ESPinUDP patch, this should be installed after all the fixes, openswan and VPN pack 3. Once this is installed and rebooted, input all the default information such as the IP address of the outside address, the inside subnet. And create a new profile. I was using just 3DES encryption so input these into the IKE and ESP parameters field, and saved. After this create a new connection.

The left address but the IP address of the Red (outside) interface, and in subnet put the inside IP address range with subnet. In the ID field put the outside IP Address of the router. The right corresponds to the remote interface, so in the address field put the outside IP address, and in the subnet put the inside network information with subnet. For the security information put in all the IKE and ESP as above. And thats basically it. On the checkpoint side see my old entry as this still applies and that should be basically it. Any questions send me an email.