Nortel Contivity VPN

From CourvilleWiki

Contents 1 Howto: Route linux services through VMWARE using split tunneling feature of Nortel Contivity VPN client (NCVPN) 1.1 Motivation 1.2 NCVPN configuration 1.3 VMWARE configuration 1.4 Blackice firewall settings 1.5 SSH server installation under CYGWIN 1.6 Launch the tunnel 1.7 Personal additional tricks 1.8 Authors

Howto: Route linux services through VMWARE using split tunneling feature of Nortel Contivity VPN client (NCVPN)

Motivation

The overall goal of this document is to provide instructions on how to route linux services through a vmware virtual windows host connected to the corporate network in a remote situation through ncvpn relying on a nat network interface and exploiting the split tunneling feature of the ncvpn software (Nortel Contivity VPN client).

The specific example of retrieving emails on the corporate imap server imap.corp.com:143 and sending emails through the corporate gateway smtp.corp.com:25 is detailed.

The basic configuration considered is a linux host running a windows virtual machine under vmware with ncvpn installed on the virtual host.

In order to achieve this you need to perform the following steps:

• install a ssh server with cygwin under windows
• use ssh to forward ports on the linux host
• configure vmware on linux host to use the 192.168.128.128 address in nat mode to allow split tunneling under ncvpn
• operate in nat mode when outside the corporate network (where a bridged ethernet configuration is recommended)
• allow the firewall (e.g. blackice) to accept ssh connections on the windows virtual host

Note that the method explained in this document can also be applied to the case of a bridged ethernet interface with slight modifications.

Here are some references of interest to understand better the mechanism put in place:

• sshd cygwin installation: [1]
• split tunneling with ncvpn: [2]

NCVPN configuration

In order to enable split tunneling you often need to reconfigure ncvpn client in order to use a specific authentication (check with your own company settings).

VMWARE configuration

In the default configuration of vmware, the following virtual interfaces vmnet0, vmnet1 and vmnet8 are respectively bridged to eth0, a host-only network on a private subnet and a Nat network on private subnet. All you need to change is to assign the nat virtual interface to subnet 192.168.128.0 through the following command on the linux host:

/opt/vmware/usr/bin/vmware-config.pl

It is possible to do so also by tweaking manually the following files: /etc/vmware/vmnet8/dhcpd/dhcpd.conf and /etc/vmware/vmnet8/nat/nat.conf. Note that it is a mandatory step: if you do not comply, when ncvpn will be activated you won't have access to your windows virtual host from linux. Reminder: your linux host will have address 192.168.128.1 and the windows virtual host 192.168.128.128 when operating in nat mode. However viewed from the virtual host, the linux host will have address 192.168.128.2.

Blackice firewall settings

For allowing incoming ssh connections you need to enable port 22 connections by entering in the Advanced Firewall Settings/Firewall Rules/Add Firewall Entry tab the following data:

name: ssh
IP address: all addresses
port: 22
type: TCP
mode: accept
duration of rule: forever

SSH server installation under CYGWIN

In order to allow port forwarding, we use ssh from cygwin distribution. Follow these steps to install it:

• install cygwin for openssh support by using [3]
• synchronize passwords: launch cygwin and then these commands:

mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
cd /home
mkdir "$USER"
passwd "$USER"
ssh-keygen -b 1024 -t dsa
cd $HOME/.ssh
cp id_dsa.pub authorized_keys

• edit /etc/passwd to make sure that $USER has home dir /home/$USER
• if $USER and $USERNAME are different variables make sure to have 2 entries in the /etc/passwd with $USER first and $USERNAME second with same password and same home dir
• create CYGWIN variable: right click on My Computer, Properties, Advanced, Environment Variables, click on New and enter these variables

variable name: CYGWIN 
variable value: ntsec tty

• right click on My Computer, Properties, Advanced, Environment Variables, click on New and enter these variables
• update Path variable: right click on My Computer, Properties, Advanced, Environment Variables, select Path variable and click on Edit and append this at the end of the variable string:

;c:\cygwin\bin

• configure sshd: under cygwin window issue the following command and answer yes to all the questions except when the script asks you for CYGWIN= where the correct answer is ntsec tty

ssh-hostconfig

• start the sshd service: issue one of the two commands:

net start sshd
cygrunsrv  --start  sshd

• when done stop the service using:

net stop sshd
cygrunsrv  --stop  sshd 

Launch the tunnel

This is the end: let's do the magic. Launching the tunnel is as simple as that:

ssh "$USER"@192.168.128.128 -L 5143:imap.corp.com:143 -L 5025:smtp.corp.com:25 -L 5022:sshhost.corp.com:22

What it does it to forward:

• imap requests from localhost:5143 to imap.corp.com:143
• smtp requests from localhost:5025 to smtp.corp.com:25
• ssh requests from localhost:5022 to sshhost.corp.com:22

This solution intentionally uses ports above 1024 to allow a simple user to perform the redirection without requiring root priviledges.

All you need now to do is to set your imap server as localhost:5143 and set your smtp server as localhost:5025. The specific case of mutt and fetchmail are detailed in the next section.

Note that if you want to login to another machine on the corporate network you can still do it directly by issuing (incurring a delay increase in the connection):

ssh $USER@192.168.128.128 -t 'ssh sshhost.corp.com'

Personal additional tricks

The tools I personally use for email purposes are:

• fetchmail to retrieve emails and procmail as local delivery agent
• esmtp local email server for forwarding the emails as a replacement of postfix when in vpn mode only since I want to preserve postfix functional at the same time

In order to use the above tunnel with mutt and fetchmail I use the following tricks:

• install esmtp to forward emails (I still use postfix local mail server on port 25):

apt-get install esmtp

• tell esmtp to use port 5025 to send mails by including in the $HOME/.esmtprc:

hostname = localhost:5025

• tell mutt to use as sendmail command esmtp by specifying in the $HOME/.muttrc file the following line:

set sendmail = /usr/bin/esmtp

• for enabling imap support under mutt the following options need to be set in the $HOME/.muttrc file:

set imap_user = "$USER"
set imap_pass = "..."
set spoolfile = {imap.corp.com}
set ssl_starttls = no

• configure fetchmail by editing $HOME/.fetchmailrc.remote and replacing username by your real user name $USER:

set postmaster "username"
set no bouncemail
set no spambounce
poll localhost with proto IMAP port 5143
  user 'username' there with password '...' is 'username' here options fetchall stripcr
    folder INBOX
mda '/usr/bin/procmail -Yf-'

• retreive emails through

fetchmail -quit
cp $HOME/.fetchmailrc.remote $HOME/.fetchmailrc
fetchmail

This is all for now, any feedback?

Authors

Marc de Courville and Mohamed Kammoun