Re: Linux v Dedicated NAT routers - secure remote differences

From: Angel (angel@REMOVEMEnightime.org.uk)
Date: 09/30/02 

Date: Sun, 29 Sep 2002 23:11:03 +0100
From: Angel <angel@REMOVEMEnightime.org.uk>

>
> My route table shows no recognition of any interface other than 10.0.10.30
> (the address assigned by my home dhcp server)
>
>

hmmm... that's unfortunate. Not being familiar with the client software
you use I can't suggest a way of determining the IP address you are
assigned for the tunnel end-point.

I am surprised the client software doesn't setup any routes. I wonder
how it knows that certain packets need to traverse the tunnel while
others hit the default route.

If I were you I wouldn't worry too much about NAT being involved. So
long as you use ESP then the symptoms of having NAT should only show
themselves when the time comes for the tunnel to rekey. It won't affect
the initial authentication as that is initiated from your client and
thus the NAT will open a 'hole' for it. It's only when the time comes
to rekey, initiated by the remote end, that you would get disconnected
as the NAT table entry would have timed out. There are a couple of NAT
traversal technologies in use at the moment. One of the most common is
UDP encapsulation.

If you are using ESP then the port forwarding of port 500 you mentioned
also should not be necessary.

One thing which just occured to me. You mentioned that other people
using the Netgear routers are also using NAT. Do you know by any chance
if they simply made up the IP ranges they use at home or perhaps your
company may have 'suggested' a range?

It's a long shot I know but it occured to me that perhaps the company
end of the VPN isn't configured to hand out IP addresses for the tunnel
but instead they have static routes on their end saying anything
destined for 10.0.0.* (or whatever) goes out via a VPN tunnel. This is
a perfectly acceptable way of configuring a VPN endpoint. You get the
added security that even if you can authenticate, if you don't have an
IP address in a certain range then you won't get anywhere. I've rarely
seen configs like this in reality as they tend incur a lot more support
calls :)

Like I say, a long shot, but it is entirely possible.

angel

Relevant Pages

  • Re: ASA IPSec question
    ... IPSec vpn tunnel with them to securely transfer files. ... suspicion is that it is due to NAT. ... remote end would just need a route back to the same address. ...
    (comp.dcom.sys.cisco)
  • Re: Beeching II: "The Development of the Major Railway Trunk Routes"
    ... a 7-days a week basis would make the Woodhead route the obvious candidate. ... I suggest you take a look at a planning application submitted by National Grid - they want to renew the grid structureeither side of the tunnel and again make use of tunnel for cable ... These policies regarding reinstatement of the tunnels as a rail route would be affected by the ...
    (uk.railway)
  • Re: Central Railway update
    ... Given that their proposal is to build a new, large loading gauge route, of course they will have to build new infrastructure. ... I fail to see how building a viaduct or recomissioning a tunnel is a fatal barrier to creating a new railway line, just look at the number of viaducts and tunnels on the CTRL. ... offering more freight paths. ... With the WCML we tried to had a bit here and a bit there to an existing line to bring up speeds and capacity. ...
    (uk.railway)
  • Nat-In-A-Stick Problem
    ... Nat Router ... access-list 102 permit ip 192.168.100.0 0.0.0.255 any ... access-list 177 permit icmp any any ... ip route 0.0.0.0 0.0.0.0 ATM0 ...
    (comp.dcom.sys.cisco)
  • Re: PPTP client, masquerade and routing
    ... # name of primary network interface (before tunnel) ... # provided by pppd: string to identify connection aka ipparam option ... route add -host $dev $ ...
    (comp.os.linux.networking)