Re: VPN question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Looks like the linux kernel will have to be patched. ISAKMP (key-exchange)
protocol uses protocol 50 which is unsupported by the kernel.

On Wed, 22 Sep 2004,
Tony Gogoi wrote:

>
> Hello,
>
> Can multiple IPSEC VPN clients (road-warrior type & private IP addresses)
> connect to a VPN server from behind a NAT firewall?
>
> The reason I pose this is: We have a linux firewall (not VPN gateway). As
> long as a private internal IP address is NAT'ed to a unique external
> address on the outgoing interface of the firewall, things are normal.
>
> But if more than one VPN client from the private network gets masqueraded
> to the outgoing interface, authentication is not even possible. This is
> observed from TCPdump. Reason:
>
> Let the outgoing interface of the firewall be 28.29.30.31.
> Let there be 2 VPN clients: 192.168.17.20 and 192.168.17.40.
>
> Then the first client (say 192.168.17.20) which requests authentication
> from the remote VPN server (there is no VPN gateway at our end), sends a
> request from 192.168.17.20-port isakmp. The firewall on its behalf sends a
> request from 28.29.30.31-port isakmp and the remote VPN server responds
> correctly to 28.29.30.31-port isakmp and client is authenticated.
>
> The 2nd client sends a request from 192.168.17.40-port isakmp. The
> firewall cannot reuse port isakmp and instead sends a authentication
> request from 28.29.30.31-port 12 (say). The remote VPN server INCORRECTLY
> responds to 28.29.30.31-port isakmp where it should have responded to port
> 12 of our firewall !!! So the firewall passses on thepacket to the first
> VPN client (which is already authenticated).
>
> Is it part of VPN protocol for a VPN server to reply authentication
> requests to port isakmp? Or is it a configuration issue for the remote VPN
> server?
>
> Regards,
> TOny
> -
> : send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



Tony Gogoi
-
: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Newbie]     [Audio]     [Hams]     [Kernel Newbies]     [Util Linux NG]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Device Drivers]     [Samba]     [Video 4 Linux]     [Git]     [Fedora Users]

  Powered by Linux