DNAT IPSec

DNAT IPSec

[Tom Tonk]

Hi,

I have a problem setting up DNAT in an IPSec environment. Here is my setup:

Client(192.168.0.200) <-> 192.168.0.101(NAT-Box) <-> 192.168.122.100(Client)

I want to setup a secure tunnel between both client machines. Since one 
client is behind a nat box I have to use nat-t in racoon. on client 
192.168.122.100 is also a telnet server running which should be available 
from client 192.168.0.200 on the other subnet.

NAT rules for nat-t on 192.168.0.101 is implemented with these rules:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       esp  --  0.0.0.0/0            0.0.0.0/0           to:192.168.122.100
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0           multiport 
dports 500,4500 to:192.168.122.100

On both clients, racoon is running with this config:

path pre_shared_key "/etc/racoon/psk.txt";

timer  {
        natt_keepalive 10sec;
        }

listen {
        isakmp 192.168.122.100 [500];
        isakmp_natt 192.168.122.100 [4500];
        }

remote 192.168.0.200 {
         exchange_mode main;
         nat_traversal on;
         proposal {
                 encryption_algorithm 3des;
                 hash_algorithm md5;
                 authentication_method pre_shared_key;
                 dh_group modp1024;
         }
}
sainfo address 192.168.0.101 any address 192.168.0.200 any {
         pfs_group modp768;
         encryption_algorithm 3des;
         authentication_algorithm hmac_md5;
         compression_algorithm deflate;
}

the config on the other machine looks similar. setkey is using this policies:

spdadd 192.168.0.200 192.168.0.101 any -P in ipsec
            esp/tunnel/192.168.0.200-192.168.0.101/require;

spdadd 192.168.0.101 192.168.0.200 any -P out ipsec
            esp/tunnel/192.168.0.101-192.168.0.200/require;

again, similar config on the other box.

when I ping 192.168.0.101 from 192.168.0.200, the tunnel is created:

[root@rhel4 racoon]# racoon -F -f racoon.conf
Foreground mode.
2008-04-24 17:40:01: INFO: @(#)ipsec-tools 0.3.3 
(http://ipsec-tools.sourceforge.net)
2008-04-24 17:40:01: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 
2003 (http://www.openssl.org/)
2008-04-24 17:40:01: INFO: 192.168.122.100[4500] used as isakmp port (fd=7)
2008-04-24 17:40:01: INFO: 192.168.122.100[4500] used for NAT-T
2008-04-24 17:40:01: INFO: 192.168.122.100[500] used as isakmp port (fd=8)
2008-04-24 17:40:06: INFO: respond new phase 1 negotiation: 
192.168.122.100[500]<=>192.168.0.200[500]
2008-04-24 17:40:06: INFO: begin Identity Protection mode.
2008-04-24 17:40:06: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2008-04-24 17:40:06: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2008-04-24 17:40:06: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2008-04-24 17:40:06: INFO: Hashing 192.168.122.100[500] with algo #1
2008-04-24 17:40:06: INFO: NAT-D payload #0 doesn't match
2008-04-24 17:40:06: INFO: Hashing 192.168.0.200[500] with algo #1
2008-04-24 17:40:06: INFO: NAT-D payload #1 verified
2008-04-24 17:40:06: INFO: NAT detected: ME
2008-04-24 17:40:06: INFO: Hashing 192.168.0.200[500] with algo #1
2008-04-24 17:40:06: INFO: Hashing 192.168.122.100[500] with algo #1
2008-04-24 17:40:06: INFO: Adding remote and local NAT-D payloads.
2008-04-24 17:40:06: INFO: NAT-T: ports changed to: 
192.168.0.200[4500]<->192.168.122.100[4500]
2008-04-24 17:40:06: INFO: KA list add: 
192.168.122.100[4500]->192.168.0.200[4500]
2008-04-24 17:40:06: INFO: ISAKMP-SA established 
192.168.122.100[4500]-192.168.0.200[4500] spi:d4245a3e8d07f023:353aeb082ad83985
2008-04-24 17:40:07: INFO: respond new phase 2 negotiation: 
192.168.122.100[0]<=>192.168.0.200[0]
2008-04-24 17:40:07: INFO: Adjusting peer's encmode UDP-Tunnel->61441
2008-04-24 17:40:08: INFO: IPsec-SA established: ESP/Tunnel 
192.168.0.200->192.168.122.100 spi=189715164(0xb4ed2dc)
2008-04-24 17:40:08: INFO: IPsec-SA established: ESP/Tunnel 
192.168.122.100->192.168.0.200 spi=184022985(0xaf7f7c9)

Now I want to ping from client 192.168.0.200 the peer client 192.168.122.100 
behind the nat box. since the peer client is on a private subnet I ping the 
nat-box IP. and here is the question: how do I have to setup DNAT on the 
nat-box that traffic arriving here is DNATed to the peer client 
192.168.122.100, or is this possible at all? I mean, the ipsec traffic 
arriving at the nat box is forwarded to the internal client running racoon, 
on the machine running racoon also runs the telnet server. it's not clear to 
me where I have to implement the nat rules so that I can ping the 
telnet-server from client 192.168.0.200 using the public IP from the nat-box.

when I sniff the traffic on 192.168.122.100 I actually see this:

[root@rhel4 ~]# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:40:13.983235 IP 192.168.0.200 > 192.168.0.101:icmp 64: echo request seq 7
17:40:14.979046 IP 192.168.0.200 > 192.168.0.101:icmp 64: echo request seq 8


Any help is really appreciated.

Thanks.

Re: DNAT IPSec

[Tom Tonk]

problem is solved by using simply routing instead of NAT.

Re: DNAT IPSec

[Tom Tonk]

Tom Tonk wrote:
> problem is solved by using simply routing instead of NAT.

but anyway, would be interesting to know if the whole setup would also work 
with DNAT of a service on the NAT machine to the internal box?!