Re: IPSec through my firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

This all depends on your implementation, I believe the standard protocol 50 (ESP) traffic still does not support NAT. But there are a lot of vendors out there that have NAT "aware" VPN devices.

Some devices use UDP encapsulation, others allow a more relaxed version of the IPSEC protocol to handle the NAT.

Some only support NAT during one point in the connection, so both the client and server can't use NAT, only one or the other.

From the RFC's:

--snip--
Negotiation of the NAT-Traversal Encapsulation

   The negotiation of the NAT-Traversal happens by adding two new
   encapsulation modes.  These encapsulation modes are

   UDP-Encapsulated-Tunnel         3
   UDP-Encapsulated-Transport      4

   It is not normally useful to propose both normal tunnel or transport
   mode and UDP-Encapsulated modes.  UDP encapsulation is required to
   fix the inability to handle non-UDP/TCP traffic by NATs (see
   [RFC3715], section 2.2, case i).

   If there is a NAT box between hosts, normal tunnel or transport
   encapsulations may not work.  In this case, UDP-Encapsulation SHOULD
   be used.
--snip--

I would allow all traffic between the client and server on UDP ports 500 and 4500.

iptables -I -i EXT_FACE -o VPN_FACE -d X.X.X.X -p udp --dport 500 -j ACCEPT
iptables -I -i EXT_FACE -o VPN_FACE -d X.X.X.X -p udp --dport 4500 -j ACCEPT

Michael.

Ola Nilsson wrote: 
Hie,

I would've tried something different if I had the possibility to
choose. This is a solution chosen by the company I work for.

Are you sure about that IPSec can't be NATed? NAT-T is kind of meant to
handle just that. Also, my colleagues have no trouble through
e.g. D-Link routers. The ISAKMP part NATs just fine...

Regards,
/Ola

Michael Gale <michael.gale@xxxxxxxxxxxxx> writes:


Hello,

	You can not NAT ESP (protocol 50) traffic. Some IPSEC clients
and servers support NATing but I believe this requires special
implementation on the client and server end.

If you want to NAT a VPN tunnel I suggest you try a SSL base
VPN. OpenVPN works well, you could also try TCP or UDP encapsulation
to help get around the NAT issue.

Michael. 



--
Michael Gale
Lan Administrator
Utilitran Corp.

Hey, let me file that under important .... > /dev/null
...
"Hey did you read my e-mail"
"Let my check"
^From:.* > /dev/null
"Nope, I missed it, send it again"

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux