[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Binat roaming vpn clients
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Binat roaming vpn clients
- From: Jean-Christophe Sicard <jc_(_at_)_sic-net_(_dot_)_ca>
- Date: Thu, 12 May 2005 01:43:32 -0400
The situation is as follows:
I've setup isakmp for roaming clients vpn access with only shared secret
Roaming users use the windows ipsec client to connect, which works
fine.(albeit with some manual intervention when local ip changes but
still it works.)
Now the thing is it use to be that I was the only one connecting through
the vpn, but I've now started giving access to some others too.
The issue at hand is two fold: I...
a) Would like some more granular (ie: user level) authentication, access
control and accountability, somewhat like PIXes do with nasty x-auth.
b) Would like to have users access the internal network with a specific
pool of IPs, preferably in a per user IP assignemt system, (whereafaik
virtual IPs aren't supported by isakmp.)
Now I know that using x509 certs auth could potentially solve both
issues, both I would prefer using an authpf solution...
The senario would be like this:
User establishes the vpn tunnel with shared secret auth.
All traffic is blocked with pf on from enc0.
User ssh into authpf shell to load appropriate pass rules on enc0 for
the client as well as a binat rule for the client's local "vpn" ip...
Now I don't forsee any problem with the access filtering part (issue
"a)") of the authpf setup.
For issue "b)" however, from my tests on 3.6 stable, it doesn't seem
possible to binat my incoming traffic from the vpn clients on enc0. And
the reason (I think!) I want to binat on enc0 rather than my IntIF is
that I need to distinguish incoming traffic from the VPN and possible
non encrypted (via InternetIF for example) connections from the same IP
(tunnel endpoint) which should not be binated.
So I guess my questions are:
- Can I binat incoming decrypted vpn traffic on enc0?
- If not, should a workaround like "pass in on enc0 tag vpn_traffic"
with a "binat on $IntIF from $user_ip to any tagged vpn_traffic ->
192.168.10.X" work on 3.7 (as binat tagged isn't supported in 3.6)?
- Am I thinking too much and binating directly on $IntIF from $user_ip
without tagging would be perfectly safe of accidental collisions?
- Any other clues?