kernel 2.6 ipsec and DNAT

kernel 2.6 ipsec and DNAT

[Alain RICHARD]

Hi,

we are using iptables and ipsec since several years now (starting with 
freeswan 1.0) without too much problems. We have now upgraded to the 
2.6 kernel (under Fedora 2) and Openswan 2.x.

Our setup works perfectly, with several dozens of tunnels up and 
running. We have avoided the lake of ipsec0 interface by marking 
packets (in fact this is great solution that enable us to separate 
completely the firewall settings from the vpn tunnels).

The problem I am encountering now is that it seems that DNAT is not 
working when the d-natted session is from a tunneled site. My settup is 
:


192.168.1.0/24 local intranet
192.168.2.0/24 distant intranet

the ipsec tunnel is setup from distant to local in order to get all the 
traffic passing into the local firewall (192.168.2.0/24 -> 0.0.0.0/0).

This works perfectly and all the traffic either intranet or internet 
pass thru the local firewall.

The problem now is that I want now to redirect the web traffic to squid 
using a classical transparent proxying :

iptables -t nat -A PREROUTING -p tcp --dport 80 -m mark --mark 
0x50010000/0xFFFF0000 -j DNAT --to 192.168.1.99:3128

for an unknown reason, this is not working. On the 192.168.1.99 host, I 
see the connexion arriving but not correctly coming up :

tethereal host 192.168.2.18
   0.256680 192.168.2.18 -> 192.168.1.99 TCP 1166 > http [SYN] Seq=0 
Ack=0 Win=64512 Len=0 MSS=1260
   0.256718 192.168.1.99 -> 192.168.2.18 TCP http > 1166 [SYN, ACK] 
Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
   0.442346 192.168.2.18 -> 192.168.1.99 TCP 1024 > http [RST] Seq=0 
Ack=0 Win=0 Len=0

the last line RST seams not to be issued by the 192.168.2.18 host, but 
probably by the firewall/VPN gateway. I have also tried to set 
/proc/sys/net/ipv4/conf/*/rp_filter to 0, but the problem is the same.

the same setup was correctly working under a kernel 2.4, so I think the 
problem is about natting the vpn connexion.

Is there any problem like this under the current 2.6.8 kernel ? Do you 
have any idea to try to bypass the problem ?

-------------------------------------------------------
Alain RICHARD <mailto:alain.richard@equation.fr>
EQUATION SA <http://www.equation.fr/>
Tel : +33 477 79 48 00	 Fax : +33 477 79 48 01
Applications client/serveur, ingénierie réseau et Linux

Re: kernel 2.6 ipsec and DNAT

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 2844 bytes --]

Hi

This is a known problem with netfilter and 2.6 and ipsec with the native
stack, there are fixs in pom-ng (Patch o matic), but this means building
your own kernel as it patches the kernel and the netfilter modules.  Not
to bad though, been doing this for a while and haven't had any majour
problems


Alex

On Fri, Sep 03, 2004 at 07:01:41PM +0200, Alain RICHARD wrote:
> Hi,
> 
> we are using iptables and ipsec since several years now (starting with 
> freeswan 1.0) without too much problems. We have now upgraded to the 
> 2.6 kernel (under Fedora 2) and Openswan 2.x.
> 
> Our setup works perfectly, with several dozens of tunnels up and 
> running. We have avoided the lake of ipsec0 interface by marking 
> packets (in fact this is great solution that enable us to separate 
> completely the firewall settings from the vpn tunnels).
> 
> The problem I am encountering now is that it seems that DNAT is not 
> working when the d-natted session is from a tunneled site. My settup is 
> :
> 
> 
> 192.168.1.0/24 local intranet
> 192.168.2.0/24 distant intranet
> 
> the ipsec tunnel is setup from distant to local in order to get all the 
> traffic passing into the local firewall (192.168.2.0/24 -> 0.0.0.0/0).
> 
> This works perfectly and all the traffic either intranet or internet 
> pass thru the local firewall.
> 
> The problem now is that I want now to redirect the web traffic to squid 
> using a classical transparent proxying :
> 
> iptables -t nat -A PREROUTING -p tcp --dport 80 -m mark --mark 
> 0x50010000/0xFFFF0000 -j DNAT --to 192.168.1.99:3128
> 
> for an unknown reason, this is not working. On the 192.168.1.99 host, I 
> see the connexion arriving but not correctly coming up :
> 
> tethereal host 192.168.2.18
>   0.256680 192.168.2.18 -> 192.168.1.99 TCP 1166 > http [SYN] Seq=0 
> Ack=0 Win=64512 Len=0 MSS=1260
>   0.256718 192.168.1.99 -> 192.168.2.18 TCP http > 1166 [SYN, ACK] 
> Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
>   0.442346 192.168.2.18 -> 192.168.1.99 TCP 1024 > http [RST] Seq=0 
> Ack=0 Win=0 Len=0
> 
> the last line RST seams not to be issued by the 192.168.2.18 host, but 
> probably by the firewall/VPN gateway. I have also tried to set 
> /proc/sys/net/ipv4/conf/*/rp_filter to 0, but the problem is the same.
> 
> the same setup was correctly working under a kernel 2.4, so I think the 
> problem is about natting the vpn connexion.
> 
> Is there any problem like this under the current 2.6.8 kernel ? Do you 
> have any idea to try to bypass the problem ?
> 
> -------------------------------------------------------
> Alain RICHARD <mailto:alain.richard@equation.fr>
> EQUATION SA <http://www.equation.fr/>
> Tel : +33 477 79 48 00	 Fax : +33 477 79 48 01
> Applications client/serveur, ing?nierie r?seau et Linux
> 
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: kernel 2.6 ipsec and DNAT

[Michael Leun]

Hello,

On Sat, 4 Sep 2004 08:31:15 +1000
Alexander Samad <alex@samad.com.au> wrote:

> > The problem I am encountering now is that it seems that DNAT is not 
> > working when the d-natted session is from a tunneled site. My settup
> > is 
[...]
> > Is there any problem like this under the current 2.6.8 kernel ? Do
> > you have any idea to try to bypass the problem ?


> This is a known problem with netfilter and 2.6 and ipsec with the
> native stack, there are fixs in pom-ng (Patch o matic), but this means
> building your own kernel as it patches the kernel and the netfilter
> modules.  Not to bad though, been doing this for a while and haven't
> had any majour problems

But, as far as I know, the patches in pom-ng (even cvs) do not work
since 2.6.7.

I mailed the author of this patches (Patrick McHardy) and he told me two
times he is going to fix this RSN(tm) - but unfortunately does seem to
have not had time to do it yet.

Have I overlooked something, or is there indeed no working solution for
2.6.8? Has anybody fixed the patches?

-- 
Bye,

Michael Leun

Re: kernel 2.6 ipsec and DNAT

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 1312 bytes --]

On Fri, Sep 10, 2004 at 08:13:22AM +0200, Michael Leun wrote:
> Hello,
> 
> On Sat, 4 Sep 2004 08:31:15 +1000
> Alexander Samad <alex@samad.com.au> wrote:
> 
> > > The problem I am encountering now is that it seems that DNAT is not 
> > > working when the d-natted session is from a tunneled site. My settup
> > > is 
> [...]
> > > Is there any problem like this under the current 2.6.8 kernel ? Do
> > > you have any idea to try to bypass the problem ?
> 
> 
> > This is a known problem with netfilter and 2.6 and ipsec with the
> > native stack, there are fixs in pom-ng (Patch o matic), but this means
> > building your own kernel as it patches the kernel and the netfilter
> > modules.  Not to bad though, been doing this for a while and haven't
> > had any majour problems
> 
> But, as far as I know, the patches in pom-ng (even cvs) do not work
> since 2.6.7.

This might be the case as I haevn't looked at it since 2.6.7
> 
> I mailed the author of this patches (Patrick McHardy) and he told me two
> times he is going to fix this RSN(tm) - but unfortunately does seem to
> have not had time to do it yet.
> 
> Have I overlooked something, or is there indeed no working solution for
> 2.6.8? Has anybody fixed the patches?
> 
> -- 
> Bye,
> 
> Michael Leun
> 
> 
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

kernel 2.6 ipsec and DNAT

[Javier Sanchez]

Hi all, 

i have recently discovered on the list that more people is suffering the
nat problem with ipsec vpn tunnels on 2.6.x kernels, does anyone know if
its fixed on 2.6.8.1 ??

The unique way i found to bypass the nat problem is using a proxy server
(squid), not the best solution but for now im able to surf the web .-)

Best regards


-- 
GPG Key id: 0x0EF8926E
GPG: Server - gpg.rediris.es

RE: kernel 2.6 ipsec and DNAT

[Brent Clark]

>Hi all,

>i have recently discovered on the list that more people is suffering the
>nat problem with ipsec vpn tunnels on 2.6.x kernels, does anyone know if
>its fixed on 2.6.8.1 ??

>The unique way i found to bypass the nat problem is using a proxy server
>(squid), not the best solution but for now im able to surf the web .-)

Hi all

Sorry for my ignorance.

But why would nat a vpn tunnel be a problem.
Are there certain requirement for creating tunnel.
Can the vpn server \ client be on the same box as the iptables
gateway\router\firewall.

If I remember from Anthony Stone (who seems to be missing in action, anyone
know why) correctly, its best to not have
any services running on fw.

just something I was wondering.

Kind Regards
Brent Clark.

RE: kernel 2.6 ipsec and DNAT

[Javier Sanchez]

I need nat because the internal ips are private, and the firewall is a
little server i have at home, i dont think about getting another server.
So all the services are on it, quake server, enemy territory, voip, ftp,
http, vpns...

Gateway and clients are on the same subnet, but theres more than one nic
on the server to separate and control the traffic in a better way.

Cheers

?A
> >Hi all,
> 
> >i have recently discovered on the list that more people is suffering the
> >nat problem with ipsec vpn tunnels on 2.6.x kernels, does anyone know if
> >its fixed on 2.6.8.1 ??
> 
> >The unique way i found to bypass the nat problem is using a proxy server
> >(squid), not the best solution but for now im able to surf the web .-)
> 
> Hi all
> 
> Sorry for my ignorance.
> 
> But why would nat a vpn tunnel be a problem.
> Are there certain requirement for creating tunnel.
> Can the vpn server \ client be on the same box as the iptables
> gateway\router\firewall.
> 
> If I remember from Anthony Stone (who seems to be missing in action, anyone
> know why) correctly, its best to not have
> any services running on fw.
> 
> just something I was wondering.
> 
> Kind Regards
> Brent Clark.
> 
> 
> 
-- 
GPG Key id: 0x0EF8926E
GPG: Server - gpg.rediris.es

Re: kernel 2.6 ipsec and DNAT

[Michael Leun]

Hello,

On Mon, 13 Sep 2004 12:29:56 +0200
"Brent Clark" <bclark@eccotours.biz> wrote:

> >Hi all,
> 
> >i have recently discovered on the list that more people is suffering
> >the nat problem with ipsec vpn tunnels on 2.6.x kernels, does anyone
> >know if its fixed on 2.6.8.1 ??
> 
> >The unique way i found to bypass the nat problem is using a proxy
> >server(squid), not the best solution but for now im able to surf the
> >web .-)

> But why would nat a vpn tunnel be a problem.
> Are there certain requirement for creating tunnel.
> Can the vpn server \ client be on the same box as the iptables
> gateway\router\firewall.

I've a notebook, running linux of course and I have an vpn tunnel. There
are sometimes some jobs which require windows, because there is no such
software for linux - then I run windows in vmware and need, of course
linux to forward the packets from vmware through the tunnel.

I would really appreciate to see this fixed soon.

-- 
Bye,

Michael Leun