Very Computer

> I'm attempting to use Nortel Extranet Acccess Client to connect to a
> remote VPN server at my employer via cable modem--but I've been
> unsuccessful thus far.  I'm not sure of the hardware on my employer's
> end, but the client-side software is Nortel Extranet Access Client
> (V02_62.33 Sep 8 2000).

> All other NAT seems to work fine.  I've added "log" directives to all
> my ipf rules and even disabled them all and find no indication that
> the IPSec traffic is even being forwarded.  I've tried enabling ESP in
> /etc/sysctrl.conf to no avail.  

> Based on a lot of net.digging of the ng's, it appears thus far that
> OpenBSD's ipnat is not capable of dealing with the IPSec correctly.
> What confuses me is that the inexpensive Linksys cable-modem router
> (BEFSR41) can handle this--they've recently released a BIOS update
> that touts "IPSec passthru now supported" which coworkers have used
> successfully.  I understand that there's been a Linux patch for this
> as well, and even the CoyoteLinux router supports this arrangement.

> Is there an equivalent patch for OpenBSD that allows ipnat to
> appropriately handle ESP (port 50) translation that's evidently needed
> for this to work?

> +----------+
> |Win2k box |         +----------------+   +-----------+

> |Nortel    |         +----------------+   +-----------+
> |Extranet  |
> |Client    |
> +----------+

> I've been scouring the 'net trying to find a fix to no avail.  I'm
> having religious difficutly thinking that there is something a Linksys
> BEFSR41 router ($160) can do that OpenBSD can't!

> Thank you in advance for any assistance or advice.

> Best Regards,
> Todd

> I'm still searching for an answer for OpenBSD's support or non-support
> for NAT on ESP-based IPSec.   The silence is eerie.  :-)  I've found
> happines in implementing a Linux-based firewall solution, however, I'd
> have much preferred to take advantage of OpenBSD's superior security.
> :-\

> The best explanations of the challenges and solutions to doing NAT
> with IPSec traffic is here in the Linux VPN how-to.  Especially
> germane to the Nortel client (which uses IPsec ESP) are sections 2.2,
> and 2.10 where it describes that kernel mods are necessary to support
> NAT on protocols other than tcp, udp, and icmp (such as ESP and GRE):

>    ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquera...

> Best Regards,
> Todd

> > Has anyone succesfully configured an OpenBSD NAT/firewall to allow an
> > IPSec-based VPN client on the LAN side to pass through NAT and connect
> > to the remote server successfully?

> > I'm attempting to use Nortel Extranet Acccess Client to connect to a
> > remote VPN server at my employer via cable modem--but I've been
> > unsuccessful thus far.  I'm not sure of the hardware on my employer's
> > end, but the client-side software is Nortel Extranet Access Client
> > (V02_62.33 Sep 8 2000).

> > All other NAT seems to work fine.  I've added "log" directives to all
> > my ipf rules and even disabled them all and find no indication that
> > the IPSec traffic is even being forwarded.  I've tried enabling ESP in
> > /etc/sysctrl.conf to no avail.

> > Based on a lot of net.digging of the ng's, it appears thus far that
> > OpenBSD's ipnat is not capable of dealing with the IPSec correctly.
> > What confuses me is that the inexpensive Linksys cable-modem router
> > (BEFSR41) can handle this--they've recently released a BIOS update
> > that touts "IPSec passthru now supported" which coworkers have used
> > successfully.  I understand that there's been a Linux patch for this
> > as well, and even the CoyoteLinux router supports this arrangement.

> > Is there an equivalent patch for OpenBSD that allows ipnat to
> > appropriately handle ESP (port 50) translation that's evidently needed
> > for this to work?

> > +----------+
> > |Win2k box |         +----------------+   +-----------+

> > |Nortel    |         +----------------+   +-----------+
> > |Extranet  |
> > |Client    |
> > +----------+

> > I've been scouring the 'net trying to find a fix to no avail.  I'm
> > having religious difficutly thinking that there is something a Linksys
> > BEFSR41 router ($160) can do that OpenBSD can't!

> > Thank you in advance for any assistance or advice.

> > Best Regards,
> > Todd

> My understanding is that IPSec and NAT are not compatable.
> Period. (I think Nortel has a router/firewall that will do this,
> but I didn't want to go there.)

> > The best explanations of the challenges and solutions to doing NAT
> > with IPSec traffic is here in the Linux VPN how-to.  Especially
> > germane to the Nortel client (which uses IPsec ESP) are sections 2.2,
> > and 2.10 where it describes that kernel mods are necessary to support
> > NAT on protocols other than tcp, udp, and icmp (such as ESP and GRE):

> >    ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquera...

> > Todd,
> > It's not the answer you're looking for, but I think the answer is
> > that you can't.

> > My understanding is that IPSec and NAT are not compatable.
> > Period. (I think Nortel has a router/firewall that will do this,
> > but I didn't want to go there.)

> That's not true based on my most recent findings.  It all depends on
> which of the two IPSec protocols are in use, and whether the specific
> implementation of NAT supports the required protocols (ESP and/or
> GRE).

> What I meant to say in my update is that I'm now tunneling Nortel's
> ESP implementation of IPSec over a Linux implementation of NAT
> (specifically, the coyotelinux.com router software that's based on a
> Linux kernel).  It's working.  :-) OpenBSD 2.7's ipnat, however, was
> not up to the task of tunneling Nortel Extranet's ESP IPSec traffic.

> Linksys's BEFSR* routers also support what they call "IPSec pass-thru"
> but I've not yet found out how/what exactly they do.  I have coworkers
> that are successfully tunneling Nortel Extranet's ESP IPSec traffic
> through their Linsys routers (provided they hvae the latest
> firmware). I suppose their router's software does appropriate ESP
> protocol translation with NAT.

> Based on my experience, OpenBSD is not capable of passing any IPSec
> traffic through its ipnat implementation of NAT--likely because it has
> not been modified to translate protocols other than ICMP, tcp, or
> udp.  I'm still looking for confirmation from an IPSec-savvy person in
> the OpenBSD development community.

> As to the "IPSec isn't compatible with NAT," that statement seems to
> be true regarding products implementing AH protocol of IPSec--all due
> to the checksumming done in the headers.  As I undersand it now, any
> rewrite of destinations via NAT would "break" the
> encryption/checksumming.  The link below explains it better than I
> can.

> > If you play around with the keywords you should be able to find
> > more specific info with a Deja search. I wasted more time on this
> > than I really care to say. If I'm wrong and there IS a reliable
> > way to do this with an OpenBSD firewall I would *really* like to
> > hear about it.

> > Cindy

> Indeed--I'm curious when OpenBSD's kernel will be enhanced to handle
> ESP and GRE protocols for ipnat.

> The link I provided in my followup posting (quoted below) is the best
> link I found in my search.  If folks are interested in this topic,
> read the two sections I mention--it's all of about 20 sentences, but
> very lucid.

> > > The best explanations of the challenges and solutions to doing NAT
> > > with IPSec traffic is here in the Linux VPN how-to.  Especially
> > > germane to the Nortel client (which uses IPsec ESP) are sections 2.2,
> > > and 2.10 where it describes that kernel mods are necessary to support
> > > NAT on protocols other than tcp, udp, and icmp (such as ESP and GRE):

> > >    ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquera...

> Todd,
> It's not the answer you're looking for, but I think the answer is
> that you can't.

> My understanding is that IPSec and NAT are not compatable.
> Period. (I think Nortel has a router/firewall that will do this,
> but I didn't want to go there.)

> If you play around with the keywords you should be able to find
> more specific info with a Deja search. I wasted more time on this
> than I really care to say. If I'm wrong and there IS a reliable
> way to do this with an OpenBSD firewall I would *really* like to
> hear about it.

> Cindy

> > I'm still searching for an answer for OpenBSD's support or non-support
> > for NAT on ESP-based IPSec.   The silence is eerie.  :-)  I've found
> > happines in implementing a Linux-based firewall solution, however, I'd
> > have much preferred to take advantage of OpenBSD's superior security.
> > :-\

> > The best explanations of the challenges and solutions to doing NAT
> > with IPSec traffic is here in the Linux VPN how-to.  Especially
> > germane to the Nortel client (which uses IPsec ESP) are sections 2.2,
> > and 2.10 where it describes that kernel mods are necessary to support
> > NAT on protocols other than tcp, udp, and icmp (such as ESP and GRE):

> >    ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquera...

> > Best Regards,
> > Todd

> > > Has anyone succesfully configured an OpenBSD NAT/firewall to allow an
> > > IPSec-based VPN client on the LAN side to pass through NAT and connect
> > > to the remote server successfully?

> > > I'm attempting to use Nortel Extranet Acccess Client to connect to a
> > > remote VPN server at my employer via cable modem--but I've been
> > > unsuccessful thus far.  I'm not sure of the hardware on my employer's
> > > end, but the client-side software is Nortel Extranet Access Client
> > > (V02_62.33 Sep 8 2000).

> > > All other NAT seems to work fine.  I've added "log" directives to all
> > > my ipf rules and even disabled them all and find no indication that
> > > the IPSec traffic is even being forwarded.  I've tried enabling ESP in
> > > /etc/sysctrl.conf to no avail.

> > > Based on a lot of net.digging of the ng's, it appears thus far that
> > > OpenBSD's ipnat is not capable of dealing with the IPSec correctly.
> > > What confuses me is that the inexpensive Linksys cable-modem router
> > > (BEFSR41) can handle this--they've recently released a BIOS update
> > > that touts "IPSec passthru now supported" which coworkers have used
> > > successfully.  I understand that there's been a Linux patch for this
> > > as well, and even the CoyoteLinux router supports this arrangement.

> > > Is there an equivalent patch for OpenBSD that allows ipnat to
> > > appropriately handle ESP (port 50) translation that's evidently needed
> > > for this to work?

> > > +----------+
> > > |Win2k box |         +----------------+   +-----------+

> > > |Nortel    |         +----------------+   +-----------+
> > > |Extranet  |
> > > |Client    |
> > > +----------+

> > > I've been scouring the 'net trying to find a fix to no avail.  I'm
> > > having religious difficutly thinking that there is something a Linksys
> > > BEFSR41 router ($160) can do that OpenBSD can't!

> > > Thank you in advance for any assistance or advice.

> > > Best Regards,
> > > Todd

> --
> Sorry for the SPAM block -
> My real address is Cindy at Ballreich dot net