Taylor, Grant wrote:
OK - I have a VPN working WITHOUT nat. I did try the NAT per your example and several others as well as added the nat_traversal=yes in the ipsec.conf. Both servers are stock Fedora Core 3. The iptables version on both does NOT support the --oif option so this may have been the reason. I also cannot confirm if the NAT-Traversal patch in the kernel - I did look. Heres the layoutOk, one of us is not understanding the other, and it is likely me. Normal IPSec VPNs run on a netowrk as such:
[Host A] --- LAN --- [Host B] .... (INET) .... [Host C] --- LAN --- [Host D]
Where the LAN between Host A and Host B is one IP subnet and the LAN between Host C and Host D is another IP subnet, prefferably different than the IP subnet on the first LAN. The VPN in this scenario would be between Host B and Host C. Let's suppose that the hosts have the following IP addresses:
Host A's LAN IP address is 172.16.1.1 Host B's LAN IP address is 172.16.1.254 Host B's INet IP address is 12.34.56.78 Host C's INet IP address is 87.65.43.21 Host C's LAN IP address is 172.31.255.254 Host D's LAN IP address is 172.31.255.1
In this case the IPSec VPN would be between Host B's INet address of 12.34.56.78 and Host C's INet address of 87.65.43.21. As far as what traffic would and would not be NATed, you would NAT all traffic going out to the INet from Host B's INet IP address of 12.34.56.78 except the IPSec VPN traffic. More information on how to NAT all traffic but the IPSec VPN traffic is avaliable with your IPSec VPN software. Ask if you need more help configuring your NATing on Host B and / or Host C. You (or your counter part an the other LAN would NAT all traffic going out to the INet from Host C's INet IP address of 87.65.43.21 except the IPSec VPN traffic. Because you have the VPN passing traffic from one LAN to the other LAN you don't normaly need to NAT the traffic at all except for in your case you have the same IP subnet on both LANs which will mess up normal routing and thus you have to augment it via NATing. I hope this helps clear up some things for you.
Grant. . . .
Thanks! I want to make sure I understand the IPSEC and NAT. I'm connecting a PUBLIC address to my FIREWALL but NOT including the gateway address:
66.83.239.66 -> IPSEC -> 192.168.90.1 # a host to host / ip to ip VPN THEN NAT 192.168.90.1 to 192.168.1.1
Since the NAT takes place AFTER the IPSEC traffic, do I really need the NAT-T enabled?
Do I just aliase the 192.168.90.1 address or should I do a VLAN?
Vernon
HOSTA (Vender) 63.171.212.10 (172.16.1.0/24) HOSTB (ME) 66.83.239.70 (192.168.90.0/24)
The real hosts this vendor needs access to is 192.168.1.1 but they already have a VPN defined with this subnet. I set this up in a test enviorment using an additional FC3 box as the real host. I was able to set an aliases ip address within the 192.168.90 subnet and set a postrouting to preform snat and it WORKED - I know this is natting outside of the VPN.
An additional thought - the site listed above has a CISCO 2811 router as the main WAN router (not internet) and it 'APPEARS' to have NAT capabilities. I guess the easiest way to get this running to configure the router to preform DNAT/SNAT if the source and destination matches. I can fumble around on the router and know the basic commands but I'm no expert. So, If anyone on the list knows the exact commands to NAT this real host - your assistance would be greatly appreciated! Otherwise, I'm off to study the cisco ip nat command structure.
Vernon
