Re: IPSec through my firewall

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michael Gale <michael.gale@utilitran.com>
To: Ola Nilsson <ola@fam-nilsson.org>, netfilter@lists.netfilter.org
Subject: Re: IPSec through my firewall
Date: Tue, 15 Feb 2005 07:46:06 -0700	[thread overview]
Message-ID: <42120B2E.9020802@utilitran.com> (raw)
In-Reply-To: <87vf8ui0g9.fsf@helmut.nilsson.homedns.org>

Hello,

	You can not NAT ESP (protocol 50) traffic. Some IPSEC clients and 
servers support NATing but I believe this requires special 
implementation on the client and server end.

If you want to NAT a VPN tunnel I suggest you try a SSL base VPN. 
OpenVPN works well, you could also try TCP or UDP encapsulation to help 
get around the NAT issue.

Michael.


Ola Nilsson wrote:
> Hello,
> 
> I've got problems with getting IPSec (using NAT-T) traffic through my
> Linux 2.6.10 based firewall. I've now changed my iptables script to
> something rather simple:
> 
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> 
> Which is far to open, but I used it to try to find the problem. What I
> see with Ethereal is that the connection seems to have two
> phases. Both phases uses UDP on port 4500. In the first phase ISAKMP
> is used, then ESP.
> 
> 192.168.3.249   is the IP of the machine on my LAN that wants to do IPSec.
> 1.2.3.4         is the IP of the other end of the IPSec tunnel
> 5.6.7.8         is the IP of my firewalls interface on the internet
> 
> This is what I see:
> 
> No.     Time        Source          Destination     Protocol Info
>       3 0.001148    192.168.3.249   1.2.3.4         ISAKMP   Aggressive
>       4 0.001165    5.6.7.8         1.2.3.4         ISAKMP   Aggressive
>       5 9.999541    1.2.3.4         5.6.7.8         ISAKMP   Aggressive
>       6 9.999586    1.2.3.4         192.168.3.249   ISAKMP   Aggressive
> 
>     460 77.461355   192.168.3.249   1.2.3.4         ESP      ESP (SPI=0x384a545c)
>     461 77.461383   192.168.3.249   1.2.3.4         ESP      ESP (SPI=0x384a545c)
>     462 78.961453   192.168.3.249   1.2.3.4         ESP      ESP (SPI=0x384a545c)
> 
> During the ISAKMP phase, my firewall NATs like it shall, and the
> client reports the tunnel as working. But once the real ESP traffic
> starts to flow, it doesn't get NATed as I would like it to.
> 
> I've googled quite a lot, and also tried using firehol to set up the
> iptables (and gotten some help on the firehol forum), but I'm still
> unsuccessfull. What should I do to debug this? Anyone have a set of
> rules that allows ISAKMP/ESP on UDP port 4500?
> 
> Regards,

-- 
Michael Gale
Lan Administrator
Utilitran Corp.

Hey, let me file that under important .... > /dev/null
...
"Hey did you read my e-mail"
"Let my check"
^From:.* > /dev/null
"Nope, I missed it, send it again"

next prev parent reply	other threads:[~2005-02-15 14:46 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-02-15 10:25 IPSec through my firewall Ola Nilsson
2005-02-15 14:46 ` Michael Gale [this message]
2005-02-15 15:15   ` Ola Nilsson
2005-02-15 15:38     ` Michael Gale
2005-02-15 15:07 ` Jason Opperisano
2005-02-15 22:00   ` Ola Nilsson
     [not found] <200502151715.j1FHFtfO029324@pepsi.fishpuppy.com>
2005-02-16  9:29 ` rowdy
2005-02-16 10:27   ` Georgi Alexandrov
2005-02-16 12:46     ` Ola Nilsson
2005-02-16 14:59       ` Jean Caron
2005-02-16 18:08         ` Ola Nilsson
  -- strict thread matches above, loose matches on Subject: below --
2005-02-16 14:03 Samuel Jean

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42120B2E.9020802@utilitran.com \
    --to=michael.gale@utilitran.com \
    --cc=netfilter@lists.netfilter.org \
    --cc=ola@fam-nilsson.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.