-
November 19th, 2003, 05:00 PM
#11
With regard to the BGP &c., that only applies (AFAIK) to VPNs that terminate on the router. So, if one of your ISPs is friendly, they can help you out. Otherwise, that is not relevant to the current discussion. (Not that it isn't useful, mind you.)
One thing that I do not know about Highlander and embalmedlenin's situation is this: which endpoints are accessable to the internet, and do you control any other hosts that are on an open network? You're going to need at least one non-NAT'd box to route your communications. If it's one of the endpoints, then you establish the tunnel connection from the other box. If neither of the endpoints are directly accessible, you're going to need a 3rd, accessible host to maintain the tunnel. For instance:
Code:
+----------+ +-------------+ +----------+
endpoint1 -- 80 --|----------|->|<----------->|<-|----------|-- 443 -- endpoint2
| firewall | | 3rd machine | | firewall |
+----------+ +-------------+ +----------+
If this is the case, then I withdraw my earlier claim of "easy". I mean, it's still technically pretty easy, but it's definitely a PITA.
-
November 19th, 2003, 08:50 PM
#12
embalmedlenin dosn't have access to the router or the FW to config tunnels. he wants to break into his highschool network from home un-authorized and access his computer or the network in general. he's not an admin just a user on the network (maybe).
http://www.antionline.com/showthread...595#post681622
what your looking for is more like this:
Gaining an interactive shell through SSL tunneling
http://www.antionline.com/showthread...hreadid=250494
what you can accomplish with this is expulsion from school and possible jail time. im not judging you just warning you. if you want to learn this stuff do it on a home network. set up a lab. if you just go ahead and do it you may just stick out like a sore thumb and get caught like a fool.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
November 19th, 2003, 09:14 PM
#13
Gaining an interactive shell through SSL tunneling
If I may continue with this thought, any FW admin worth his salt will be watching for this. Hint, hint.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
November 19th, 2003, 11:26 PM
#14
Most FW admins are not worth their salt. :-/
-
November 19th, 2003, 11:31 PM
#15
Senior Member
you don't need BGP for any sort of VPN. BGP is an external routed protocol. It advertises routes to it's neighbors in the given AS number (Autonomous System). I don't understand how BGP would be needed. I've set up many router-to-router and firewall-to-router VPN's BGP wasn't used in any of the solutions, and some of them even crossed multiple carriers.
ISP's use BGP to advertise their routes to their upstream providers, other carriers and/or sometimes their customers (ie. someone wants to load balance two T-1 circuits.)
In short. Whatever host you are connecting to, the firewall needs to have ports opened for it.
any port forwarders or anything like that won't help, because the machine you are connecting to is LISTENING on some port. Unless it makes a outgoing connection first that you can ride in on or take control of, then it ain't happening. Most firewalls will drop connections initiated from the outside, unless the appropriate ports are opened and traffic is allowed.
-
November 20th, 2003, 12:05 AM
#16
tekno: I would not be surprised if some Cisco VPN solutions used BGP to open up various VLANs based on your VPN credentials.
That said, yeah, you're generally right.
-
November 20th, 2003, 12:48 AM
#17
Senior Member
I dont want to go beyond the scope of this thread, but technically, you could use BGP to distribute VPN routing information for a MPLS-VPN solution for example, but that includes work on your providers side, and I highly doubt they will do that just so one little customer can connect to some machine. Still you would have to configure both endpoints.
j3r: can you explain how BGP would be used to open VLANS based on your VPN credentials?
-
November 20th, 2003, 03:13 AM
#18
Basically what you said, I image internal routers get BGP info from the VPN server to determine what ports to open to what VLANs. I haven't actually seen this done, but imagine it might be done on a big korporate LAN.
-
November 20th, 2003, 04:55 AM
#19
Senior Member
VPN servers wouldn't hand out BGP routing updates. That would all happen on the routers which would be BGP neighbors.
What the best way to do it would be to but your VPN server in a DMZ and set your client sofware to connect to that IP address. If you were doing a router-to-router or firewall-to-firewall or even a router-to-firewall VPN, then both sides would have their crypto peers defined so it will know where to go. It would know where to go once it hits the router and the router looks up in it routing table where to send the packet. BGP or any routing protocol is transparent to the actual VPN connection itself.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|