[Asterisk-Users] Re: {SPAM?} Asterisk VIA SSH Tunnels

Fri Oct 15 05:33:48 MST 2004

Tom Ivar Helbekkmo wrote:

> Benjamin on Asterisk Mailing Lists <benjk.on.asterisk.ml at gmail.com>
> writes:
> 
>> And how many routers and firewalls out there do support OpenVPN? Do
>> Cisco routers support it?
> 
> Neither I, nor anyone else here, seems to be saying that OpenVPN is a
> replacement for IPsec.  There's overlap, but there are applications
> that are more suited to one than to the other.  As implementations of
> IPsec mature, its share should increase.  (Today, you can still not
> take for granted that two IPsec VPN products will work seamlessly
> together.)
> 
> I believe (but am more than ready to be proven wrong) that
> implementing the type of VPN that I'm using would be a real bitch with
> IPsec.  I've got a portable computer that sends and receives quite a
> bit of sensitive data over insecure protocols, such as remote file
> system access -- and SIP, of course.  :-)  I carry this computer with
> me, and want to be able to use it wherever I can get hold of some sort
> of Internet connection.  This might be by borrowing a real IP address
> somewhere, getting a DHCP-allocated RFC-1918 address behind some NAT
> gateway, or whatever.  I have to expect there to be a firewall as well.
> 
> An important requirement is that all sessions should survive when I
> suspend the computer, and then resume it somewhere else, where it gets
> a completely new access method to the Internet.  For instance, while
> I'm directly connected by UTP cable at work, I open ssh sessions to
> various computers, I start a SIP-based soft phone, and, of course, I
> am connected to my remote file system server.  I suspend the computer
> without logging out of anything, and later resume it in a place where
> there's a wireless hot spot that I'm allowed to access.  I expect to
> be able to continue typing commands in those ssh sessions, receive
> telephone calls, and use the file system, immediately upon resuming.
> I need this to work completely NAT proof, and with no requirements for
> holes in firewalls other than being able to send a UDP packet out, and
> getting a responding packet back to the same port.  It must also work
> without the suspend/resume: I need to be able to unplug my laptop's
> UTP cable to carry it into a meeting, and expect everything to keep
> working through a completely seamless transition to wireless mode.  Of
> course, my laptop needs to have a fixed DNS name and IP address that
> never change, so it can be reached from the outside when needed.
> 
> With OpenVPN running on my laptop, and on a VPN gateway system back
> home, this Just Works.  OpenVPN handles the whole thing, it's well
> secured, all traffic is encrypted, and it automatically ensures that
> no traffic is sent or received by my laptop outside the VPN tunnel.
> 
> I actually started looking into how to get comparable functionality
> based on IPsec, but my mind boggled, and now I do it the easy way.

It works.  I've done it.

Tunnel 0.0.0.0/0 through IPSEC.  Don't use AH. Make sure you're local
networking is set up to use the extruded address that goes through your
IPSEC tunnel.

Of course, any firewall you come upon must allow allow UDP IDE and ESP
packets through.  But if they are intentionally blocking IPSEC, my guess is
they're going to block all VPNs.