Iptables, nat, and IPSec

Iptables, nat, and IPSec

[dave beach]

I have a class C private net behind both a dedicated linux/iptables box and
a Linksys BEFSR41 broadband router. Traffic outbound from the iptables box
to the router is DNATted to that machine's "external" (but still private) IP
by iptables, and NATted again by the router to ITS external (public) IP.
Everything works fine, except...

I need to be able to run two concurrent passthrough IPSec sessions outbound
through that configuration. Singly, they work fine. When run concurrently,
the second one to try and connect to the office VPN (the IPSec requirement)
fails.

Digging through Linksys documentation reveals that this particular router
will not support more than one passthrough IPSec session. Before I go and
drop money on a replacement router (such as the BEFSX41), are there inherent
limitations with iptables (or, probably more accurately) with NAT/IPSec
generally, that would render such a purchase a waste of money in that it
wouldn't solve my problem?

Of course, I COULD bypass the iptables box and plug the second connecting
device right into the (new) router, but I'd rather not do that if I don't
have to.

Re: Iptables, nat, and IPSec

[Daniel Lopes]

dave beach schrieb:
> I have a class C private net behind both a dedicated linux/iptables box and
> a Linksys BEFSR41 broadband router. Traffic outbound from the iptables box
> to the router is DNATted to that machine's "external" (but still private) IP
> by iptables, and NATted again by the router to ITS external (public) IP.
> Everything works fine, except...
> 
> I need to be able to run two concurrent passthrough IPSec sessions outbound
> through that configuration. Singly, they work fine. When run concurrently,
> the second one to try and connect to the office VPN (the IPSec requirement)
> fails.
> 
> Digging through Linksys documentation reveals that this particular router
> will not support more than one passthrough IPSec session. Before I go and
> drop money on a replacement router (such as the BEFSX41), are there inherent
> limitations with iptables (or, probably more accurately) with NAT/IPSec
> generally, that would render such a purchase a waste of money in that it
> wouldn't solve my problem?
> 
> Of course, I COULD bypass the iptables box and plug the second connecting
> device right into the (new) router, but I'd rather not do that if I don't
> have to.
> 
> 
It´s an IPSec problem. I don´t want to go into detail but you probably 
should try NAT-Traversal.
For the theory http://www.ipsec-howto.org/x180.html
And the outbound traffic from the linux box to the router probably is 
SNATed ;).

RE: Iptables, nat, and IPSec

[dave beach]

Er, yes, SNATted. Silly fingers, won't type what's in my head.

I'll have a look at the link, but on the face of it the Linksys glossies
seem to say it should work just fine absent the iptables middleman - in
other words, the router doing DHCP on the "inside" with a class C private
net, and knowing how to route multiple IPSec passthrough connections to
their appropriate internal destinations.

That doesn't seem, at first glance, to square with "it's an IPSec problem" -
but maybe the Linksys documentation is... Optimistic. 

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Daniel Lopes
Sent: April 5, 2005 10:10 PM
To: netfilter@lists.netfilter.org
Subject: Re: Iptables, nat, and IPSec

dave beach schrieb:
> I have a class C private net behind both a dedicated linux/iptables 
> box and a Linksys BEFSR41 broadband router. Traffic outbound from the 
> iptables box to the router is DNATted to that machine's "external" 
> (but still private) IP by iptables, and NATted again by the router to ITS
external (public) IP.
> Everything works fine, except...
> 
> I need to be able to run two concurrent passthrough IPSec sessions 
> outbound through that configuration. Singly, they work fine. When run 
> concurrently, the second one to try and connect to the office VPN (the 
> IPSec requirement) fails.
> 
> Digging through Linksys documentation reveals that this particular 
> router will not support more than one passthrough IPSec session. 
> Before I go and drop money on a replacement router (such as the 
> BEFSX41), are there inherent limitations with iptables (or, probably 
> more accurately) with NAT/IPSec generally, that would render such a 
> purchase a waste of money in that it wouldn't solve my problem?
> 
> Of course, I COULD bypass the iptables box and plug the second 
> connecting device right into the (new) router, but I'd rather not do 
> that if I don't have to.
> 
> 
It´s an IPSec problem. I don´t want to go into detail but you probably
should try NAT-Traversal.
For the theory http://www.ipsec-howto.org/x180.html
And the outbound traffic from the linux box to the router probably is SNATed
;).

RE: Iptables, nat, and IPSec

[dave beach]

 > It´s an IPSec problem. I don´t want to go into detail but you probably
should try NAT-Traversal.
 > For the theory http://www.ipsec-howto.org/x180.html

Okay, I've read the reference. If I understand correctly, I need to use a
NAT methodology that implements "NAT Traversal" (the reference is a little
vague on this; in fairness, it does say "There are no RFCs at the moment").
It might be therefore fair to say that the Linksys implementation includes
NAT Traversal, enabling it to handle multiple IPSec passthrough connections.

Which leads me to what I suppose was the original question, now slightly
modified: does iptables support NAT Traversal?

RE: Iptables, nat, and IPSec

[John A. Sullivan III]

On Wed, 2005-04-06 at 07:10 -0400, dave beach wrote:
>  > It´s an IPSec problem. I don´t want to go into detail but you probably
> should try NAT-Traversal.
>  > For the theory http://www.ipsec-howto.org/x180.html
> 
> Okay, I've read the reference. If I understand correctly, I need to use a
> NAT methodology that implements "NAT Traversal" (the reference is a little
> vague on this; in fairness, it does say "There are no RFCs at the moment").
> It might be therefore fair to say that the Linksys implementation includes
> NAT Traversal, enabling it to handle multiple IPSec passthrough connections.
> 
> Which leads me to what I suppose was the original question, now slightly
> modified: does iptables support NAT Traversal?
> 
I did not read your original post but, in direct answer to your last
question, yes, we do NAT-T through and to iptables firewalls all the
time on the ISCS network security management project
(http://iscs.sourceforge.net) - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

Re: Iptables, nat, and IPSec

[Daniel Lopes]

dave beach schrieb:
>  > It´s an IPSec problem. I don´t want to go into detail but you probably
> should try NAT-Traversal.
>  > For the theory http://www.ipsec-howto.org/x180.html
> 
> Okay, I've read the reference. If I understand correctly, I need to use a
> NAT methodology that implements "NAT Traversal" (the reference is a little
> vague on this; in fairness, it does say "There are no RFCs at the moment").
> It might be therefore fair to say that the Linksys implementation includes
> NAT Traversal, enabling it to handle multiple IPSec passthrough connections.
> 
> Which leads me to what I suppose was the original question, now slightly
> modified: does iptables support NAT Traversal?
> 
> 
from the webpage:
"What does NAT traversal do to help? NAT-traversal again encapsulates 
the ESP packets in UDP packets. These can easily be handled by a NAT 
device since they provide ports."

So you have to activate on your clients the NAT-T "feature" and be sure 
the other side supports it too.

And to answer your question, yes every NAT device should be able to 
handle multiple IPSec NAT-Ted connections because they are wrapped 
within UDP packets and so every connection can be tracked. Essentially 
is that both sides which use IPSec are aware of NAT-T and it is 
correctly configured.

RE: Iptables, nat, and IPSec

[dave beach]

 

> So you have to activate on your clients the NAT-T "feature" and be sure
the other side supports it too.

Okay, so if I understand correctly it's a matter of configuring both sides
of the IPSec connection in accordance with their NAT-Traversal settings, and
any intermediate NATting device is blissfully oblivious.

So, clearly, my next step is to figure out if Nortel's Contivity server and
client software support NAT-Traversal, and I can stop looking at my iptables
box and router.