[vpn-help] Shrew soft used to access services on VPN server itself
Kevin VPN
kvpn at live.com
Thu Jul 26 21:29:21 CDT 2012
On 07/25/2012 06:54 AM, MikuslawProxy wrote:
> Hi,
>
> I've a question to you guys. I'm trying for some time to figure out
> how to use Shrewsoft in my usecase. I want to use it to connect to a
> IPSEC server and encrypt traffic between my computer and that server
> itself (a server with some services and not a vpn applience). The
> Shrewsoft forces NONE policies being added for the server ip, so no
> traffic that is directed at the server or from the server is
> encrypted.
>
> Does Shrewsoft support other use-cases then VPN applience used to
> access other servers behind the tunnel?
>
I don't think that's how Shrew (or maybe even IPsec) is supposed to
work, although I suppose MS does something similar with its DirectAccess
bit.
I think the easiest way to do that might be to give the server a second
IP address. Use one of the IPs as the listener IP for the IPsec server
and the other IP for all the other services. I would see if you can
give the box a second Internet IP and bind the IPsec service to that IP.
Shrew would connect to the gateway on the second (new) IP and on the
Policy tab you would specify the original Internet IP be protected.
That might work.
If it doesn't, assuming that you're running a Linux box, you could build
a network inside your server. Add a virtual interface to the machine
and give it some private IP (e.g. 172.16.0.1 on eth0:1). Also configure
your services (e.g. Apache) to bind to all interfaces. Then configure
your IPsec service to listen on your real Internet interface (e.g. eth0)
and have it offer access to the private network on the virtual interface
(eth0:1 172.16.0.1/32). You may also have to enable routing and play
with the firewall on the Linux machine, I'm not sure.
Then configure Shrew to connect to the Internet IP and on the Site
Configuration Policy tab put in the private IP (172.16.0.1/32). You'll
then need to try to connect to your services using the private IP
instead of the Internet IP.
Disclaimer: I've never done any of this before, so it is just as likely
to blow up your machine as it is to work. Please be careful and save
copies of files before you change them. :)
More information about the vpn-help
mailing list