VPN over netfilter NAT

VPN over netfilter NAT

[Alexandros Papadopoulos]

I stumbled across 
http://www.linuxhomenetworking.com/linux-adv/vpn-linux.htm today, which 
states that "NAT breaks VPNs".

Is this just an over-simplifying statement that really means "if you're 
reading this, then don't even try setting up a NAT-traversing VPN"?

This is exactly what I'm planning to do; I've got my mind set on having 
the two VPN endpoints inside two NATed networks, both managed by 
respective dedicated linux boxes running only netfilter.

If that is indeed possible (and doable for a first timer), could anyone 
provide some relevant pointers to documentation?

Cheers

-A

RE: VPN over netfilter NAT

[Brent Clark]

>I stumbled across
>http://www.linuxhomenetworking.com/linux-adv/vpn-linux.htm today, which
>states that "NAT breaks VPNs".

>Is this just an over-simplifying statement that really means "if you're
>reading this, then don't even try setting up a NAT-traversing VPN"?

>This is exactly what I'm planning to do; I've got my mind set on having
>the two VPN endpoints inside two NATed networks, both managed by
>respective dedicated linux boxes running only netfilter.

>If that is indeed possible (and doable for a first timer), could anyone
>provide some relevant pointers to documentation?

>Cheers

>A

Hi

Im too am new to vpns etc, but from what I gather, if you use openswan or
freeswan etc on the SAME box that is your
firewall, gateway etc, it should not be a problem.

Kind Regards
Brent Clark

Re: VPN over netfilter NAT

[John A. Sullivan III]

On Thu, 2004-09-16 at 07:36, Alexandros Papadopoulos wrote:
> I stumbled across 
> http://www.linuxhomenetworking.com/linux-adv/vpn-linux.htm today, which 
> states that "NAT breaks VPNs".
> 
> Is this just an over-simplifying statement that really means "if you're 
> reading this, then don't even try setting up a NAT-traversing VPN"?
> 
> This is exactly what I'm planning to do; I've got my mind set on having 
> the two VPN endpoints inside two NATed networks, both managed by 
> respective dedicated linux boxes running only netfilter.
> 
> If that is indeed possible (and doable for a first timer), could anyone 
> provide some relevant pointers to documentation?
> 
> Cheers
> 
> -A
There is quite a bit of (somewhat dated) information about using these
technologies together in the training section at
http://iscs.sourceforge.net 

One can use IPSec and NAT but with some caveats.  The simplest way is if
you can arrange for a one-to-one NAT so that the public address is fixed
and unique.

If you must do NAPT, i.e., many-to-one - port address translation, then
you can use NAT Traversal.  However, this will work for outbound
initiated connections only.  The initiating point needs to find the
other end point.  So, for example, one can use NAT-T for ones mobile
users but it would be near impossible to do so for the gateway to which
they connect.  I have never tried port-mapping a VPN gateway and have no
idea if that would work.

Good luck with it - John
-- 
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevel.com

OFFTOPIC: Re: VPN over netfilter NAT

[Leonardo Rodrigues Magalhães]

    Well ...... this is not completly true, as well it's not a complete lie.

    Reading the doc you sent us the link, i could notice the author explains
how to setup a IPSec VPN, using FreeSWAN.

    It's true that IPSec is NOT a NAT-Friendly protocol, just like HTTP or
SMTP. IPSec requires special cares when doing NAT. These 'special cares' are
implemented in NAT Helpers, just like ip_nat_ftp. And, IPSec NAT Helper was
never developed or, at least, never was made public available.

    BUT, there's a patch called NAT-T which allows IPSec to work fine on NAT
situations.

    You should also notice that FreeSWAN is not being developed anymore. Two
projects continued developing the FreeSWAN source, which are:

http://www.openswan.org/
http://www.strongswan.org/

    Seems that both projects applied the NAT-T patch into their distribution
codes. So, you WILL be able to run IPSec VPN over NAT **IF** both peers are
NAT-T capable and correctly configured for that.

    And you can always try another VPN daemons. In several situations I
prefeer using OpenVPN (http://openvpn.sourceforge.net), which is extremely
simpler to configure and it NAT friendly with no extra configurations. If
you're trying to establish VPN between 2 Linuxs, OpenVPN may be a great
option. But if you're trying Linux-Cisco or Linux-something else, maybe
IPSec will be your only option.

    Hope it helps .....

    Sincerily,
    Leonardo Rodrigues


----- Original Message ----- 
From: "Alexandros Papadopoulos" <apapadop@alumni.carnegiemellon.edu>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, September 16, 2004 8:36 AM
Subject: VPN over netfilter NAT


> I stumbled across
> http://www.linuxhomenetworking.com/linux-adv/vpn-linux.htm today, which
> states that "NAT breaks VPNs".
>
> Is this just an over-simplifying statement that really means "if you're
> reading this, then don't even try setting up a NAT-traversing VPN"?
>
> This is exactly what I'm planning to do; I've got my mind set on having
> the two VPN endpoints inside two NATed networks, both managed by
> respective dedicated linux boxes running only netfilter.
>
> If that is indeed possible (and doable for a first timer), could anyone
> provide some relevant pointers to documentation?

Re: VPN over netfilter NAT

[Jason Opperisano]

On Thu, 2004-09-16 at 07:36, Alexandros Papadopoulos wrote:
> I stumbled across 
> http://www.linuxhomenetworking.com/linux-adv/vpn-linux.htm today, which 
> states that "NAT breaks VPNs".

yes it does.  not that you can't put a cast on it, though...

> Is this just an over-simplifying statement that really means "if you're 
> reading this, then don't even try setting up a NAT-traversing VPN"?
> 

it is an over-simplifying statement--but it's generally good advice.

> This is exactly what I'm planning to do; I've got my mind set on having 
> the two VPN endpoints inside two NATed networks, both managed by 
> respective dedicated linux boxes running only netfilter.

move the endpoints of the VPN tunnel to be the linux boxes running
netfilter, unless you have "i helped write the RFC's" level of
familiarity with IPSec.

> If that is indeed possible (and doable for a first timer), could anyone 
> provide some relevant pointers to documentation?

http://www.openswan.org/ has the latest version of the freeswan
implementation, but their docs are still catching up.

the old freeswan docs are still
available--http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/toc.html might be a good place to start.

having both ends of a site-to-site VPN behind NAT is an awfully painful
situation.  especially if you have the netfilter gateways available to
do the job.

there's the common statement of "don't run any services on your
firewall, period" which i generally agree with.  when it comes to
IPSec--i do not.  i think the firewall is a fine place to terminate VPN
tunnels (decrypt->filter->NEXT)...

-j

-- 
Jason Opperisano <opie@817west.com>

Re: VPN over netfilter NAT

[Aleksandar Milivojevic]

Alexandros Papadopoulos wrote:
> I stumbled across 
> http://www.linuxhomenetworking.com/linux-adv/vpn-linux.htm today, which 
> states that "NAT breaks VPNs".
> 
> Is this just an over-simplifying statement that really means "if you're 
> reading this, then don't even try setting up a NAT-traversing VPN"?

Yes and no.  Depends on what you mean by VPN.  VPN can be implemented in 
many different ways.  With IPSec implementation you may run into 
problems (some solvable, some not).  With user space daemon 
implementations such as OpenVPN or VTun, you shouldn't have any 
problems.  Basically it is good idea not to have VPN endpoints behind 
NAT (if possible, of course).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: VPN over netfilter NAT

[Les Mikesell]

On Thu, 2004-09-16 at 09:36, Aleksandar Milivojevic wrote:
> > 
> > Is this just an over-simplifying statement that really means "if you're 
> > reading this, then don't even try setting up a NAT-traversing VPN"?
> 
> Yes and no.  Depends on what you mean by VPN.  VPN can be implemented in 
> many different ways.  With IPSec implementation you may run into 
> problems (some solvable, some not).  With user space daemon 
> implementations such as OpenVPN or VTun, you shouldn't have any 
> problems.  Basically it is good idea not to have VPN endpoints behind 
> NAT (if possible, of course).

CIPE (http://sites.inka.de/sites/bigred/devel/cipe.html) works over
NAT anywhere you can get UDP packets back and forth.  It was included
in RH9 and fedora core 1 as a fill-in-the-form option in the network
setup GUI but was dropped in fedora core 2 because it didn't work
with the 2.6 Linux kernel.  CIPE 1.6 claims to work with the 2.6
kernel now, but there still seems to be a problem making it work
with FC2.  
---
  Les Mikesell
   les@futuresource.com

Re: VPN over netfilter NAT

[Kenneth Porter]

--On Thursday, September 16, 2004 2:36 PM +0300 Alexandros Papadopoulos 
<apapadop@alumni.carnegiemellon.edu> wrote:

> This is exactly what I'm planning to do; I've got my mind set on having
> the two VPN endpoints inside two NATed networks, both managed by
> respective dedicated linux boxes running only netfilter.

If you're not wedded to IPSec, you might try OpenVPN, which runs over SSL. 
I found it a lot easier to get working.

<http://openvpn.sourceforge.net/>

Re: VPN over netfilter NAT

[Peter Marshall]

I know this was an old post .. but I just thought I would add my two sense
....

When choosing your vpn you need to consider what type of servers the vpn
server's will be ... For instance ... if you are using two different types
of servers for endpoints .. say rh and bsd .. you will be limited in
options. (I only bring this aside up as allot of the posts mentioned
specific vpn solutions .. but not all work on all platforms).

As for the Nat question .... This is dependant on what you are doing.  Are
you setting up a perminant vpn between two offices  or are you trying to set
up a road warrior configuration.  If the first is what you are doing, then
you can either put the vpn server on your firewall .... or, if you have a
dmz, put it on a box in your dmz.  Personally I would and have chosen the
dmz route as I don't like running anything on my firewall box and also, when
you mess up configureing your vpn ... (this is likely for first time
vpn'ers), your firewall will be down and out.

What most of the docs are refering to with "No NAT" is that for most vpn
servers, you can not have the VPN server on an internal IP address .... it
has to have a public address.

Hope this helps ... I realize my post is probably way too late for you.

Peter



----- Original Message ----- 
From: "Alexandros Papadopoulos" <apapadop@alumni.carnegiemellon.edu>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, September 16, 2004 7:36 AM
Subject: VPN over netfilter NAT


I stumbled across
http://www.linuxhomenetworking.com/linux-adv/vpn-linux.htm today, which
states that "NAT breaks VPNs".

Is this just an over-simplifying statement that really means "if you're
reading this, then don't even try setting up a NAT-traversing VPN"?

This is exactly what I'm planning to do; I've got my mind set on having
the two VPN endpoints inside two NATed networks, both managed by
respective dedicated linux boxes running only netfilter.

If that is indeed possible (and doable for a first timer), could anyone
provide some relevant pointers to documentation?

Cheers

-A

Re: VPN over netfilter NAT

[Michel van der Klei]

[-- Attachment #1: Type: text/plain, Size: 1334 bytes --]

On Fri, Nov 12, 2004 at 09:09:55AM -0400, Peter Marshall wrote:

> What most of the docs are refering to with "No NAT" is that for most vpn
> servers, you can not have the VPN server on an internal IP address .... it
> has to have a public address.
> 

I don't know if you've looked at pptpproxy. I use it very often and it works
great for me.

You can find more info aon this site:

http://www.mgix.com/pptpproxy/

Greetz,

Michel
> 

> ----- Original Message ----- 
> From: "Alexandros Papadopoulos" <apapadop@alumni.carnegiemellon.edu>
> To: <netfilter@lists.netfilter.org>
> Sent: Thursday, September 16, 2004 7:36 AM
> Subject: VPN over netfilter NAT
> 
> 
> I stumbled across
> http://www.linuxhomenetworking.com/linux-adv/vpn-linux.htm today, which
> states that "NAT breaks VPNs".
> 
> Is this just an over-simplifying statement that really means "if you're
> reading this, then don't even try setting up a NAT-traversing VPN"?
> 
> This is exactly what I'm planning to do; I've got my mind set on having
> the two VPN endpoints inside two NATed networks, both managed by
> respective dedicated linux boxes running only netfilter.
> 
> If that is indeed possible (and doable for a first timer), could anyone
> provide some relevant pointers to documentation?
> 
> Cheers
> 
> -A
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]