DNAT IPSec

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I have a problem setting up DNAT in an IPSec environment. Here is my setup:

Client(192.168.0.200) <-> 192.168.0.101(NAT-Box) <-> 192.168.122.100(Client)

I want to setup a secure tunnel between both client machines. Since one client is behind a nat box I have to use nat-t in racoon. on client 192.168.122.100 is also a telnet server running which should be available from client 192.168.0.200 on the other subnet.

NAT rules for nat-t on 192.168.0.101 is implemented with these rules:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       esp  --  0.0.0.0/0            0.0.0.0/0           to:192.168.122.100
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500 to:192.168.122.100

On both clients, racoon is running with this config:

path pre_shared_key "/etc/racoon/psk.txt";

timer  {
       natt_keepalive 10sec;
       }

listen {
       isakmp 192.168.122.100 [500];
       isakmp_natt 192.168.122.100 [4500];
       }

remote 192.168.0.200 {
        exchange_mode main;
        nat_traversal on;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}
sainfo address 192.168.0.101 any address 192.168.0.200 any {
        pfs_group modp768;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}

the config on the other machine looks similar. setkey is using this policies:

spdadd 192.168.0.200 192.168.0.101 any -P in ipsec
           esp/tunnel/192.168.0.200-192.168.0.101/require;

spdadd 192.168.0.101 192.168.0.200 any -P out ipsec
           esp/tunnel/192.168.0.101-192.168.0.200/require;

again, similar config on the other box.

when I ping 192.168.0.101 from 192.168.0.200, the tunnel is created:

[root@rhel4 racoon]# racoon -F -f racoon.conf
Foreground mode.
2008-04-24 17:40:01: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net) 2008-04-24 17:40:01: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/)
2008-04-24 17:40:01: INFO: 192.168.122.100[4500] used as isakmp port (fd=7)
2008-04-24 17:40:01: INFO: 192.168.122.100[4500] used for NAT-T
2008-04-24 17:40:01: INFO: 192.168.122.100[500] used as isakmp port (fd=8)
2008-04-24 17:40:06: INFO: respond new phase 1 negotiation: 192.168.122.100[500]<=>192.168.0.200[500]
2008-04-24 17:40:06: INFO: begin Identity Protection mode.
2008-04-24 17:40:06: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2008-04-24 17:40:06: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2008-04-24 17:40:06: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2008-04-24 17:40:06: INFO: Hashing 192.168.122.100[500] with algo #1
2008-04-24 17:40:06: INFO: NAT-D payload #0 doesn't match
2008-04-24 17:40:06: INFO: Hashing 192.168.0.200[500] with algo #1
2008-04-24 17:40:06: INFO: NAT-D payload #1 verified
2008-04-24 17:40:06: INFO: NAT detected: ME
2008-04-24 17:40:06: INFO: Hashing 192.168.0.200[500] with algo #1
2008-04-24 17:40:06: INFO: Hashing 192.168.122.100[500] with algo #1
2008-04-24 17:40:06: INFO: Adding remote and local NAT-D payloads.
2008-04-24 17:40:06: INFO: NAT-T: ports changed to: 192.168.0.200[4500]<->192.168.122.100[4500] 2008-04-24 17:40:06: INFO: KA list add: 192.168.122.100[4500]->192.168.0.200[4500] 2008-04-24 17:40:06: INFO: ISAKMP-SA established 192.168.122.100[4500]-192.168.0.200[4500] spi:d4245a3e8d07f023:353aeb082ad83985 2008-04-24 17:40:07: INFO: respond new phase 2 negotiation: 192.168.122.100[0]<=>192.168.0.200[0]
2008-04-24 17:40:07: INFO: Adjusting peer's encmode UDP-Tunnel->61441
2008-04-24 17:40:08: INFO: IPsec-SA established: ESP/Tunnel 192.168.0.200->192.168.122.100 spi=189715164(0xb4ed2dc) 2008-04-24 17:40:08: INFO: IPsec-SA established: ESP/Tunnel 192.168.122.100->192.168.0.200 spi=184022985(0xaf7f7c9)

Now I want to ping from client 192.168.0.200 the peer client 192.168.122.100 behind the nat box. since the peer client is on a private subnet I ping the nat-box IP. and here is the question: how do I have to setup DNAT on the nat-box that traffic arriving here is DNATed to the peer client 192.168.122.100, or is this possible at all? I mean, the ipsec traffic arriving at the nat box is forwarded to the internal client running racoon, on the machine running racoon also runs the telnet server. it's not clear to me where I have to implement the nat rules so that I can ping the telnet-server from client 192.168.0.200 using the public IP from the nat-box.

when I sniff the traffic on 192.168.122.100 I actually see this:

[root@rhel4 ~]# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:40:13.983235 IP 192.168.0.200 > 192.168.0.101:icmp 64: echo request seq 7
17:40:14.979046 IP 192.168.0.200 > 192.168.0.101:icmp 64: echo request seq 8


Any help is really appreciated.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux