Re: freebsd vpn server behind nat dsl router



On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote:

On Wed, Mar 07, 2007 at 12:04:17PM -0600, Robert Johannes wrote:
Thanks for your response. My freebsd vpn servers are behind the dsl
routers at each site which. The modems have firewall and NAT turned on.
The vpn servers are part of the local LANs, and I have port-forwarding
setup between the dsl modems and the vpn servers. E.g, when traffic comes
from the internet destined for port 500, I forward that traffic to the vpn
servers (192.168.x.254 on the diagram).

If your redirection only works for port 500, it won't be enough, as it
will only allow IKE negociations, not encrypted traffic.

You'll have to add forwarding for ESP protocol, or use NAT-T patch and
also forward UDP 4500 port.

Yeah, I have been trying to figure out how to forward protocols 47, 50 and
51 to the vpns without knowing whether it is successful or not. So, on to nat-t then.



The freebsd servers are not running a firewall or NAT at this point. I
don't think they need to run NAT, but I haven't decided on the firewall
yet.

So, given that situation, I don't know if the NAT changes to the kernel
you are suggesting below would help, since NAT is happening on the dsl
routers. I am guessing my problem is between the vpn server and the dsl
router's NAT capability. I have done a tcpdump on the gif interface, and
I can see the ping requests being made across it, but there's no response.
I don't even know if the traffic is making it beyond the vpn box, let
alone beyond the dsl modem.

The NAT-T patch I was talking about adds the kernel part of an *IPSec*
feature: support for NAT-Traversal extension (RFCs 3947 and 3948),
which allows IPSec tunnels to be established if there is some NAT
between IPSec gates.

This is exactly your setup.

Cool. My response above was based on not really understanding how nat played havoc on my vpn design. It sounds like NAT-T is what I should be doing then. Do you know if the patch was included in the 6.1 and 6.2 releases? Or perhaps in current/stable? It would be faster for me to reload, rather than making world; the machines I am working with are amd K6 500mhz cpus, with 186megs of ram.


The tcpdump on your GIF interface will only show you that FreeBSD
correctly routes the packet to that interface.....


About dynamic ip: The dsl routers have been configured to use the dyndns
service, and each time the ip address changes, dyndns is updated as well.

You'll still have the problem "detecting when the peer's IP change".

I don't know yet how I will handle this; but I could probably create a script that monitors for change in the ip address, and re-initializes vpn services with the new ip.




Yvan.

--
NETASQ
http://www.netasq.com
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: freebsd vpn server behind nat dsl router
    ... internet forwarded to the Freebsd vpn (the machines ending in .254 on each ... created a tunnel between the two vpn servers; ... The modems have firewall and NAT turned on. ... So, given that situation, I don't know if the NAT changes to the kernel you are suggesting below would help, since NAT is happening on the dsl routers. ...
    (FreeBSD-Security)
  • Re: freebsd vpn server behind nat dsl router
    ... internet forwarded to the Freebsd vpn (the machines ending in .254 on each ... created a tunnel between the two vpn servers; ... The modems have firewall and NAT turned on. ... So, given that situation, I don't know if the NAT changes to the kernel you are suggesting below would help, since NAT is happening on the dsl routers. ...
    (FreeBSD-Security)
  • Re: NATting both ways
    ... on my "VPN" network off a PIX 525. ... We are using ip nat inside and ip nat outside on our inside and ... creates a VPN to another router on a remote network. ... crypto map CLIENTMAP client authentication list default ...
    (comp.dcom.sys.cisco)
  • Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall
    ... My belief is that your NAT ... My understanding is that IPSec AH protocol does not work with NAT devices ... IPSec operates in either one of two modes - transport mode or tunnel mode. ... provide a VPN remote access solution. ...
    (microsoft.public.win2000.security)
  • Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall
    ... I did know you have Linux for NAT and my original suggestions still stand. ... Windows 2000 server through a Linux router with NAT. ... solution has IPsec passthrough, NAT breaks IPsec AH. ... regardless of what vendor you're using for NAT and VPN. ...
    (microsoft.public.win2000.security)