Tunneling thru cisco routers

[j3r]

With regard to the BGP &c., that only applies (AFAIK) to VPNs that terminate on the router. So, if one of your ISPs is friendly, they can help you out. Otherwise, that is not relevant to the current discussion. (Not that it isn't useful, mind you.)

One thing that I do not know about Highlander and embalmedlenin's situation is this: which endpoints are accessable to the internet, and do you control any other hosts that are on an open network? You're going to need at least one non-NAT'd box to route your communications. If it's one of the endpoints, then you establish the tunnel connection from the other box. If neither of the endpoints are directly accessible, you're going to need a 3rd, accessible host to maintain the tunnel. For instance:

Code:

                  +----------+  +-------------+  +----------+
endpoint1 -- 80 --|----------|->|<----------->|<-|----------|-- 443 -- endpoint2
                  | firewall |  | 3rd machine |  | firewall |
                  +----------+  +-------------+  +----------+

If this is the case, then I withdraw my earlier claim of "easy". I mean, it's still technically pretty easy, but it's definitely a PITA.

[Tedob1]

embalmedlenin dosn't have access to the router or the FW to config tunnels. he wants to break into his highschool network from home un-authorized and access his computer or the network in general. he's not an admin just a user on the network (maybe).

http://www.antionline.com/showthread...595#post681622

what your looking for is more like this:

Gaining an interactive shell through SSL tunneling

http://www.antionline.com/showthread...hreadid=250494

what you can accomplish with this is expulsion from school and possible jail time. im not judging you just warning you. if you want to learn this stuff do it on a home network. set up a lab. if you just go ahead and do it you may just stick out like a sore thumb and get caught like a fool.

[thehorse13]

Gaining an interactive shell through SSL tunneling

If I may continue with this thought, any FW admin worth his salt will be watching for this. Hint, hint.

[j3r]

Most FW admins are not worth their salt. :-/

[tekno]

you don't need BGP for any sort of VPN. BGP is an external routed protocol. It advertises routes to it's neighbors in the given AS number (Autonomous System). I don't understand how BGP would be needed. I've set up many router-to-router and firewall-to-router VPN's BGP wasn't used in any of the solutions, and some of them even crossed multiple carriers.

ISP's use BGP to advertise their routes to their upstream providers, other carriers and/or sometimes their customers (ie. someone wants to load balance two T-1 circuits.)

In short. Whatever host you are connecting to, the firewall needs to have ports opened for it.

any port forwarders or anything like that won't help, because the machine you are connecting to is LISTENING on some port. Unless it makes a outgoing connection first that you can ride in on or take control of, then it ain't happening. Most firewalls will drop connections initiated from the outside, unless the appropriate ports are opened and traffic is allowed.

[j3r]

tekno: I would not be surprised if some Cisco VPN solutions used BGP to open up various VLANs based on your VPN credentials.

That said, yeah, you're generally right.

[tekno]

I dont want to go beyond the scope of this thread, but technically, you could use BGP to distribute VPN routing information for a MPLS-VPN solution for example, but that includes work on your providers side, and I highly doubt they will do that just so one little customer can connect to some machine. Still you would have to configure both endpoints.

j3r: can you explain how BGP would be used to open VLANS based on your VPN credentials?

[j3r]

Basically what you said, I image internal routers get BGP info from the VPN server to determine what ports to open to what VLANs. I haven't actually seen this done, but imagine it might be done on a big korporate LAN.

[tekno]

VPN servers wouldn't hand out BGP routing updates. That would all happen on the routers which would be BGP neighbors.

What the best way to do it would be to but your VPN server in a DMZ and set your client sofware to connect to that IP address. If you were doing a router-to-router or firewall-to-firewall or even a router-to-firewall VPN, then both sides would have their crypto peers defined so it will know where to go. It would know where to go once it hits the router and the router looks up in it routing table where to send the packet. BGP or any routing protocol is transparent to the actual VPN connection itself.