IPSEC VPN Pass-Through/Nat-T Help Needed

IPSEC VPN Pass-Through/Nat-T Help Needed

[Kristopher L. Bachtal]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I have a Fedora Core 5 machine running kernel 2.6.20-1.2320 and
iptables/netfilter acting as a gateway/Nat for a private network to the
internet. I have several client machines (aprox. 10, Running Windows XP)
that are behind this router that need to create individual IPSec VPN
(Cisco IPSec Software Cleint)connections over the internet to a Cisco
VPN Concentrator (Diagram Below). I can only seem to get one client at a
time to work. If I try to start a second VPN connection from another
machine it connects to the VPN Concentrator but will not carry any data.
(i.e. Cant ping, traceroute, etc.) I'm thinking I need some type of
connection tracking kernel module for IPSec Connections (like
nf_conntrack_ftp but for Ipsec instead of FTP) but I cant find any
reference to one in the documentation or google searches that I have
done. Any help would be greatly appreciated.

Clients(10) -->	Gateway/Nat	--->	Internet  --->	Remote Network
(Windows XP)	(Fedora Core 5)				(Cisco VPN Box)
Private IP	Private IP / Public IP			Public IP		

Thank you,
Kristopher L. Bachtal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI1/ulG8acbTj+cSARAkkMAJwPUYm28gw5pSYogD6tZ+FZhjVVDACghRos
V4paWyVloiFRbSBBjFfT/A8=
=TNUn
-----END PGP SIGNATURE-----

Re: IPSEC VPN Pass-Through/Nat-T Help Needed

[Anton V. Antonenko]

Hi,
IPSec does not work after NAT.
You must use NAT-T. see of http://en.wikipedia.org/wiki/NAT_traversal

2008/9/22 Kristopher L. Bachtal <kbachtal@gmail.com>:
> Hello,
>
> I have a Fedora Core 5 machine running kernel 2.6.20-1.2320 and
> iptables/netfilter acting as a gateway/Nat for a private network to the
> internet. I have several client machines (aprox. 10, Running Windows XP)
> that are behind this router that need to create individual IPSec VPN
> (Cisco IPSec Software Cleint)connections over the internet to a Cisco
> VPN Concentrator (Diagram Below). I can only seem to get one client at a
> time to work. If I try to start a second VPN connection from another
> machine it connects to the VPN Concentrator but will not carry any data.
> (i.e. Cant ping, traceroute, etc.) I'm thinking I need some type of
> connection tracking kernel module for IPSec Connections (like
> nf_conntrack_ftp but for Ipsec instead of FTP) but I cant find any
> reference to one in the documentation or google searches that I have
> done. Any help would be greatly appreciated.
>
> Clients(10) --> Gateway/Nat     --->    Internet  --->  Remote Network
> (Windows XP)    (Fedora Core 5)                         (Cisco VPN Box)
> Private IP      Private IP / Public IP                  Public IP

Re: IPSEC VPN Pass-Through/Nat-T Help Needed

[Kristopher L. Bachtal]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello again,

I have heard of IPSec NAT-T as you can see from the subject of my
original post. In fact as I said before a --> Single <-- IPSec
Connection works just fine through our Linux Gateway/Firewall. My
problem is getting --> Multiple <-- Ipsec connections from multiple
client machines to work simultaneously. What do I need to do to get this
working on my Linux NAT Gateway/Firewall? Is there a compile time option
in  netfilter or the kernel I need to enable? Or is there some module
like nf_conntrack_ipsec or nf_nat_ftp I need to load? The network
admin's from the remote network that we are connecting to are pushing me
to remove the Linux Gateway/Firewall and replacing it with a Cisco
router that they say will allow this. I'd rather stick with our Linux
Gateway/Firewall if possible, and I think it should be capable of this.
Once again any help would be appreciated.

P.S. I realize a site to site VPN would probably be the best way to do
this but the admin's from the remote network will not allow this due to
their security policy.

Thank you,
Kristopher L. Bachtal

Anton V. Antonenko wrote:
| Hi,
| IPSec does not work after NAT.
| You must use NAT-T. see of http://en.wikipedia.org/wiki/NAT_traversal
|
| 2008/9/22 Kristopher L. Bachtal <kbachtal@gmail.com>:
|> Hello,
|>
|> I have a Fedora Core 5 machine running kernel 2.6.20-1.2320 and
|> iptables/netfilter acting as a gateway/Nat for a private network to the
|> internet. I have several client machines (aprox. 10, Running Windows XP)
|> that are behind this router that need to create individual IPSec VPN
|> (Cisco IPSec Software Cleint)connections over the internet to a Cisco
|> VPN Concentrator (Diagram Below). I can only seem to get one client at a
|> time to work. If I try to start a second VPN connection from another
|> machine it connects to the VPN Concentrator but will not carry any data.
|> (i.e. Cant ping, traceroute, etc.) I'm thinking I need some type of
|> connection tracking kernel module for IPSec Connections (like
|> nf_conntrack_ftp but for Ipsec instead of FTP) but I cant find any
|> reference to one in the documentation or google searches that I have
|> done. Any help would be greatly appreciated.
|>
|> Clients(10) --> Gateway/Nat     --->    Internet  --->  Remote Network
|> (Windows XP)    (Fedora Core 5)                         (Cisco VPN Box)
|> Private IP      Private IP / Public IP                  Public IP
| --
| To unsubscribe from this list: send the line "unsubscribe netfilter" in
| the body of a message to majordomo@vger.kernel.org
| More majordomo info at  http://vger.kernel.org/majordomo-info.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI2HMiG8acbTj+cSARAqZ2AKCS+KUYKuZey0j6L3dQtBPcGGgsvACggsZM
bMlY5MMjEwjT4Vnl59aQfdg=
=7kaD
-----END PGP SIGNATURE-----