IPSec between TIS Gauntlet and Raptor Eagle

Paul L. Rogers rogerspl@datasync.com
Thu, 11 Jun 1998 21:00:07 -0500 (CDT)


Good Morning/Evening/...!

We are attempting to establish an IPSec VPN between a Gauntlet
4.1 with GVPN 4.1 system (BSD 3.0) and a Raptor 4.x system
(Solaris).  I'm the guy on the Gauntlet end.

Data has been changed in the included examples to protect the
guilty (me!).

Our "configuration":

10.42.42.x--Raptor---Internet---Gauntlet---208.42.42.x
Other Net       |-209.42.42.1    |-210.42.42.1 <--Outside Interface
                                   Pauls Net      IP Addresses

We have had success with establishing what TIS calls a 
"Trusted Link" between the two sites.

For example, I can telnet to a remote host (10.42.42.5) from a
local host (208.42.42.10) with the packets between the Raptor
and the Gauntlet encrypted.  In this case, 10.42.42.5 should
be receiving packets with a source IP address of 208.42.42.10.

However, my desire is to create a configuration that
corresponds with what TIS calls a "Private Semi-trusted Link"
(the Raptor site trusts the Gauntlet site totally, but the
tunnel should terminate at the external interface of the
Gauntlet with all traffic being passed through the Gauntlet
proxies).

I believe that this implies that at the Gauntlet end that
two IPSec definitions need to be made:
   1) Gauntlet (210.42.42.1/32) to Raptor  (209.42.42.1/32)
   2) Gauntlet (210.42.42.1/32) to network (10.42.42.0/24)

Using gauntlet-admin, I have set up the following definitions:

                                  Private Links

  Don't forget to define the Remote Firewall as a Private
  Link as well as the Remote networks behind that Firewall.

 Type                  Local Name               Remote Name
 ----------------------------------------------------------
 IPsec             Pauls Gauntlet         Other Ends Raptor
 IPsec                  Pauls Net                 Other Net


                               Return to Previous Menu
                                    Add New Link
>==========================================================<
                          Edit Private Encryption Links
                          -----------------------------

   Local Network Name:      Pauls Gauntlet
   Local Network Address:   210.42.42.1:255.255.255.255
   Remote Network Name:     Other Ends Raptor
   Remote Network Address:  209.42.42.1:255.255.255.255
   Gateway Address:         209.42.42.1
   Packet Format:           AH over ESP Tunnel without anti-replay
   Encryption Algorithm:    DES
   IV Length:               32 bit
   Authentication Algrthm:  HMAC-MD5
   Inbound Crypt Key:       3030303030303038
   Outbound Crypt Key:      3030303030303037
   Inbound Auth Key:        3030303030303036
   Outbound Auth Key:       3030303030303035
   Inbound ESP SPI (hex):   1008
   Outbound ESP SPI (hex):  1007
   Inbound AH SPI (hex):    1006
   Outbound AH SPI (hex):   1005

>==========================================================<
                          Edit Private Encryption Links
                          -----------------------------

   Local Network Name:      Pauls
   Local Network Address:   210.42.42.1:255.255.255.255
   Remote Network Name:     Other Ends
   Remote Network Address:  10.42.42.0:255.255.255.0
   Gateway Address:         209.42.42.1
   Packet Format:           AH over ESP Tunnel without anti-replay
   Encryption Algorithm:    DES
   IV Length:               32 bit
   Authentication Algrthm:  HMAC-MD5
   Inbound Crypt Key:       3030303030303034
   Outbound Crypt Key:      3030303030303033
   Inbound Auth Key:        3030303030303032
   Outbound Auth Key:       3030303030303031
   Inbound ESP SPI (hex):   1004
   Outbound ESP SPI (hex):  1003
   Inbound AH SPI (hex):    1002
   Outbound AH SPI (hex):   1001

>==========================================================<

With this configuration, I can telnet from the the Gauntlet
(210.42.42.1) to the Raptor (209.42.42.1) with the traffic
encrypted.  I can also telnet from a local host (208.42.42.10)
to the Raptor (209.42.42.1) (which of course is equivalent to
telneting from the Gauntlet since I'm going through the telnet
proxy).  However if I attempt to telnet from a local host
(208.42.42.10) to the remote host (10.42.42.5), the connection
fails and I *think* that the Raptor complains about "no
defined endpoint".

Am I on the right track or have I missed something?  Has
anyone accomplished this with either a Raptor or Checkpoint
box on the far end?

Thanks for your help!

Paul...

Paul L. Rogers                    RogersPL@datasync.com
Are you prepared for NetDay?      http://www.netday.org
Linux: It works for me.           http://sunsite.unc.edu/LDP/