Tunnel server configuration Implementing Single Connections-to-LAN Tunnels

102 Authentication table The group name for this tunnel is Sales. The password is Bubba. These two parameters have been extracted into an ETA file called sales.eta and distributed via floppy disk to the various tunnel clients. The key file has been created by the tunnel server on the corporate LAN and is specific to this tunnel group. The key file has also been extracted and distributed via floppy disk. By default, this key file is named sales.key.

6.4.2.3 Firewall configuration

The local firewall is configured to relay all external tunnel requests those reaching 1.195.6.1 on port 3265 to the tunnel server at its physical IP address: 1.195.6.2, port 3265.

6.4.2.4 Local host configuration

The host machines on the corporate LAN have a default route to 1.195.6.2, the tunnel servers physical IP address. Any traffic destined for the tunnel takes the tunnel servers virtual IP end of the tunnel; all other traffic bound for outside the local network passes to the firewall and out to the Internet.

6.4.2.5 Remote PC configuration

The remote PCs Telecommuter Client Tunnel client is configured to route all tunnel traffic to the dynamic IP address assigned by the remote tunnel server. Within the tunnel client software, the tunnel group is defined like this: Username The name of this tunnel group is Sales. There is also a password Bubba, which must be manually entered when a tunnel session is opened. Server key ID The local key file is sales.key. It is stored with the ETA file obtained from the remote tunnel server in this case via floppy disk. Tunnel server The tunnel servers physical IP address is 1.195.6.2, with a tunnel traffic port of 3265. First Firewall Unused in this case. Second Firewall The IP address to the remote LANs firewall is 1.195.6.1, with a tunnel traffic port of 3265. 103

6.4.2.6 Tracing the packets

The remote PC begins by opening a tunnel request to the tunnel server. The PC is connected to the Internet via an ISP and has initiated the tunnel connection with its AltaVista Tunnel Telecommuter client. The request passes through the end users ISP transparently, destined for the remote firewalls IP interface on the Internet 1.195.6.1 on the tunnel port of 3265. The remote firewall is set up to relay all traffic received on this port to the tunnel servers physical IP address 1.195.6.2. The tunnel server checks the authentication information against its Authentication tables, and encrypts a reply using the remote clients private key. This reply is sent back to the remote client, which decrypts the reply with its private key. The two sides then exchange parts of the session key sales.key,which is combined to form a secret session key. The tunnel server assigns the virtual IP address of 1.196.5.2 to the remote clients pseudo-adapter. This will act as the clients end of the tunnel, and all traffic destined for the remote network will be routed to this address. The tunnel server takes 1.196.5.1 as its pseudo- adapter interface to this tunnel session, and any traffic received at this IP address is routed to its local network 1.195.6.. The remote client now interacts with nodes on the local network as if it were physically connected to that network. Thus, on a Windows NT network, the user can log into the domain and browse the Network Neighborhood, or in a Unix environment, protocols and services normally restricted from outside the network are now possible i.e., FTP to some secured server, access to the corporate intranet web pages, etc.. When the second remote PC connects to the tunnel server, the new tunnel is assigned a second pair of IP addresses from the tunnel servers dynamic range. In this case, the second remote client is assigned 1.196.5.4, and the tunnel server takes 1.196.5.3 as its end of this tunnel session. The remote client routes all tunnel traffic to its pseudo-adapter interface to the tunnel, and the tunnel server routes all incoming traffic to its local network range for that tunnel as previously stated. In both cases, the secret session key is regenerated by the tunnel server every 30 to 1,440 minutes and redistributed to the remote clients transparently.

6.4.3 Implementing PC-to-WAN Tunnels

In this situation, the user connects directly to the Internet without a firewall.

6.4.3.1 Sample configuration

In the PC-to-WAN tunnel scenario shown in Figure 6-3 , the corporate WAN is comprised of two subnets connected to a router, which routes traffic between them. Each subnet is comprised of several host machines, and one of the subnets has an AltaVista Tunnel Extranet server. The WAN is connected to the Internet through a T1 connection, and protected with a standard firewall. The remote users are all client computers running the AltaVista Tunnel Telecommuter Client, and are connected to the Internet through separate Internet service providers.