NAT & IP-Sec Again

NAT & IP-Sec Again

Post by Dave Shawl » Sat, 21 Jun 2003 23:29:10



I have a problem and it looks like this problem was discussed last
year sometime. I don't know if anything has changed since then so
I'll going to bring it up again.

The problem is with running a VPN client from behind a NAT'd firewall
to a VPN gateway across the Internet. The exact situation that I have
is I would like to use a Cisco Secure VPN client from behind a FreeBSD
firewall to tunnel through to our Cisco PIX firewall at work. The real
problem is that NAT and IP-Sec don't play nicely together. This has
been noted a number of times but I have also found some recent
references to an IP-Sec proxy agent in the ipfilter/ipnat code so
things may have changed whilst I have been away writing code.

I have a pretty bogus solution that has been working for a little
while now but it only works for one VPN client at a time... Currently
I am redirecting traffic on UDP port 500 to a specific host in
/etc/ipnat.rules. This gets around the problem of NAT mucking with
the IP headers and works pretty well. Recently I picked up a new
laptop and would like to VPN from it as well as my workstation. This
introduced a few new problems... the first is that my redirect solution
only works for a single internal IP address. The second is that I have
the laptop set up to DHCP so its address can change.

Currently my firewall is an older OpenBSD box that does not support
the IP-Sec proxy that I mentioned above. I was thinking about moving
the firewall to my FreeBSD box and trying the IP-Sec proxy out. The
FreeBSD box is a 4.7R box and is running on much more capable hardware
than my current OpenBSD firewall.

The other question I have is what has to be done to use ipfilter and
ipnat with FreeBSD? The last time that I set up a firewall under FreeBSD
was in the ipfw days so I am a little behind the times. I saw some notes
in /usr/src/contrib/ipfilter that implied that you had to compile
ipfilter, run the kinstall script, and then build the kernel. This didn't
work for me whenever I tried it last night. There was a problem with
the patch updates in kinstall but I'll look into this later. What I
need to know is "is the ipfilter prebuild necessary?" and "what kernel
options have to be enabled to use ipf/ipnat?"

Hopefully the IP-Sec proxying will help solve my headaches....

TIA,
     dave

 
 
 

NAT & IP-Sec Again

Post by Martin Birgmei » Sun, 22 Jun 2003 04:34:47




>I have a problem and it looks like this problem was discussed last
>year sometime. I don't know if anything has changed since then so
>I'll going to bring it up again.

>The problem is with running a VPN client from behind a NAT'd firewall
>to a VPN gateway across the Internet. The exact situation that I have
>is I would like to use a Cisco Secure VPN client from behind a FreeBSD
>firewall to tunnel through to our Cisco PIX firewall at work. The real
>problem is that NAT and IP-Sec don't play nicely together. This has

[...]

The statement 'NAT and IPsec don't play nicely together' is widely
used and *not* universally true. In particular, this is true for
IPsec AH, but not ESP.

I have a similar setup, albeit using Symantec Enterprise Secure VPN.
This works without problem across my IPFW & NAT gateway. The only
things to do are:

  - make sure that IPsec is running in ESP (only) mode - this is
    reasonable for an enterprise VPN

  - allow UDP port 500 (isakmp) through to/from your enterprise VPN
    gateway

  - allow protocol esp (50) through to/from your enterprise VPN
    gateway

For the latter two, my ipfw.conf file looks like the following:

add pass udp    from 192.168.x.y 500    to <VPN GW> 500           out via tun0
add pass udp    from <VPN GW> 500 to 192.168.x.y 500      in via tun0

add pass esp    from 192.168.x.y        to <VPN GW>               out via tun0
add pass esp    from <VPN GW>             to 192.168.x.y          in via tun0

(tun0 is for user ppp.)

A final hint since you are using DHCP: Make sure the lease time is
longer than your typical IPsec session - my IPsec client simply
adds a default route to the VPN gateway, thereby killing the ability
of the DHCP client to renew its lease from my gateway machine...

Quote:

>TIA,
>     dave

Regards,

Martin

--
Martin Birgmeier

Vienna
Austria

 
 
 

NAT & IP-Sec Again

Post by Dave Shawl » Mon, 23 Jun 2003 01:15:07





> >I have a problem and it looks like this problem was discussed last
> >year sometime. I don't know if anything has changed since then so
> >I'll going to bring it up again.

> >The problem is with running a VPN client from behind a NAT'd firewall
> >to a VPN gateway across the Internet. The exact situation that I have
> >is I would like to use a Cisco Secure VPN client from behind a FreeBSD
> >firewall to tunnel through to our Cisco PIX firewall at work. The real
> >problem is that NAT and IP-Sec don't play nicely together. This has
> [...]

> The statement 'NAT and IPsec don't play nicely together' is widely
> used and *not* universally true. In particular, this is true for
> IPsec AH, but not ESP.

> I have a similar setup, albeit using Symantec Enterprise Secure VPN.
> This works without problem across my IPFW & NAT gateway. The only
> things to do are:

>   - make sure that IPsec is running in ESP (only) mode - this is
>     reasonable for an enterprise VPN

>   - allow UDP port 500 (isakmp) through to/from your enterprise VPN
>     gateway

>   - allow protocol esp (50) through to/from your enterprise VPN
>     gateway

> For the latter two, my ipfw.conf file looks like the following:

> add pass udp       from 192.168.x.y 500    to <VPN GW> 500           out via tun0
> add pass udp       from <VPN GW> 500 to 192.168.x.y 500      in via tun0

> add pass esp       from 192.168.x.y        to <VPN GW>               out via tun0
> add pass esp       from <VPN GW>             to 192.168.x.y          in via tun0

> (tun0 is for user ppp.)

> A final hint since you are using DHCP: Make sure the lease time is
> longer than your typical IPsec session - my IPsec client simply
> adds a default route to the VPN gateway, thereby killing the ability
> of the DHCP client to renew its lease from my gateway machine...

> >TIA,
> >     dave

> Regards,

> Martin

Thanks for the info. I'll have to talk to our Cisco guy on Monday. It
looks to me (from packet sniffin') that our system is using AH instead
of ESP. (There isn't any traffic on port 50.) The other problem is that
my current FW is using IPF/IPNAT and I can't seem to find anyway to tell
NAT to leave the packets alone other than a redirect. I think that I will
be putting the FreeBSD box in as a firewall here shortly. I just have to
pick up some better NICs; I'm using a pathetic RealTEK NIC now...

Thanks again,

Dave

 
 
 

NAT & IP-Sec Again

Post by Jim Hatfiel » Wed, 25 Jun 2003 02:31:16



Quote:>Thanks for the info. I'll have to talk to our Cisco guy on Monday. It
>looks to me (from packet sniffin') that our system is using AH instead
>of ESP. (There isn't any traffic on port 50.)

Not port 50, protocol 50.

--
Jim Hatfield

 
 
 

1. ppp & dynamic IP & firewall & nat

hi,

i do have a dialup connection and get assigned a dynamic ip adress. i get
disconnected by my isp all 8 hours and i dial in again immediatly. this
machine is a router and firewall for the internal network.

in the ppp.linkup script i execute a script that does
'ipnat -CF -f /etc/ipnat.rules'
and
'ipf -y'

this works for root starting ppp but not for an ordinary user. my questions:

1. is this approach ok in general (or should i do it in a complete
different way)? are the settings updated everytime for sure (does tun0 ever
already have an ip adress?)

2. do i also have to initalize the firewall rules everytime?

3. does ppp -ddial -nat myisp also use the ipnat.rules or is this a
different approach?

4. how can i manage it that also an ordinary user can activate ppp in this
way?

sorry if this questions are not the most intelligent ones but i already
looked up quite a lot of info and didn't find anything useful.

thx

Georg Mittendorfer

2. 5250 Emulation?

3. Configuring net (IP-tunnel, IP-Alias, Proxy-ARP, NAT, IP-Masq?)

4. Windows/Linux Network headache

5. IPChains & Transproxy & NAT & Router

6. cc 3.0 can't compile with optimize flags

7. IP-filter & NAT for Linux

8. IP Port forwarding

9. NAT & ip route HELP

10. question re: NAT & ip-masq

11. IP NAT and IP Masquerading

12. IP Filter/IP NAT vs IPFW/NATD

13. NAT and STatic IP addressing with ip