Very Computer

Hi,

Our company allows us to dial in from home using a vpn software client.
their vpn solution is apparently the standard ipsec solution from
microsoft.

using 'real' ip adresses, this works fine. (we're all using windows 2k or
xp laptop's).

I have however a linux firewall at home, and i'd prefer much to simply
plugin my laptop to my home lan, and connect to the vpn server this way.
However, because i need to do nat'ing on the linux firewall, this does not
work.

However, the guys at work responsible for managing the vpn say that if i
were to use a windows xp machine instead of a linux, it would work.

and someone else told me that windows does indeed have some sort of
feature called upnp that would allow this.

Can anyone confirm that this is true, and how it works ? in my
understanding, the principal reason why nat'ing prevents ipsec to work is
that the source ip adress is changed in an ip packet, which causes ipsec
to think that someone could be trying to spoof ?

And being quite linux minded, i'm sure that if it would be possible using
windows xp, it sure as hell will be possible with linux.

All information is welcome .

thanks,

Tom.

Are you sure that it is IPSEC and not some other VPN solution like PTPTP?

Yes,

PPTP is not a problem with NAT'ing, but they only support IPSEC for
security reasons.

Tom.

Then your network "experts" are spouting BS when they say that an XP
machine behind a NAT firewall would work.

However, there is a patch to the kernel for IPSEC passthru. With the patch
on your firewall, you should be able to use either an XP or a Linux
machine (with FreeS/WAN) behind the NAT box.

No, you misunderstood. they say using windows xp as a NAT'ing firewall would work,
not behind the existing firewall.

Quote:

> However, there is a patch to the kernel for IPSEC passthru. With the patch
> on your firewall, you should be able to use either an XP or a Linux
> machine (with FreeS/WAN) behind the NAT box.

Hm, now this is interesting stuff. any idea where i can find more
information about this ?

thanks,

tom.

Linux VPN Masquerade:
http://www.impsec.org/linux/masquerade/ip_masq_vpn.html (I work with this
chap; he's on the ball)

Linux FreeS/WAN Project Homepage: http://www.freeswan.org

Quote:> Hm, now this is interesting stuff. any idea where i can find more
> information about this ?

--
Scot Harkins (KA5KDU)
Greenbank, WA
360-678-5880

http://www.bigfoot.com/~scoth

Hi Scot,

thanks for your link.

i read the ip masq vpn howto before, and didn't really follow up on it
because I thought it couldn't help my case.

here's why i think so:

ipsec has 2 main components:

AH & EPS

AH is used for authenticating that the source ip adress is actually the ip
adress of the other side of the ipsec tunnel, and not some spoofer. it does
this by encrypting the source ip adress with either a public/private key
(key exchange and all that) or via a shared key

EPS is used to encrypt the data in the packet. encryption is same principle
as for AH

(i believe that at my company they use shared keys BTW)

now, i understand that if AH is used, there's simply no way that a client
from behind a NAT'ing firewall can connect, because the source ip adress in
the ip header is no longer the same as the encrypted (original) source ip
adress in the data part of the ip packet.

only EPS can possibly be supported

Are my assumptions correct or did I (hopefull) make a mistake somewhere ?

thx,

thanks,

Tom.