Re: VPN Passthrough with iptables

From: Dieter Sarrazyn (dieter.sarrazyn@no.spam.pandora.be)
Date: 09/19/02

• Next message: Birger Toedtmann: "Re: VPN Passthrough with iptables"
• Previous message: Wayne SIKORSKI: "Re: Zone Alarm "Auto Dial" Problem"
• In reply to: Ian G Batten: "VPN Passthrough with iptables"
• Next in thread: Ian G Batten: "Re: VPN Passthrough with iptables"
• Reply: Ian G Batten: "Re: VPN Passthrough with iptables"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: dieter.sarrazyn@no.spam.pandora.be (Dieter Sarrazyn)
Date: Thu, 19 Sep 2002 12:11:36 GMT

I think the only thing you'll need is to do is to allow IKE (500/udp)
and IPSec (ip protocol 50) outbound and to perform hide nat of your
internal host/network behind the external ip of your firewall (should
work with dynamic addresses as well).

Dieter

On 19 Sep 2002 10:20:21 GMT, Ian G Batten <I.G.Batten@batten.eu.org>
wrote:

>
>If I have this scenario:
>
>[PC]--local ethernet---[Linux Firewall/NAT]---Internet---[VPN Server]
>
>how do I configure the Firewall/NAT box so that it will do IPSec VPN
>passthrough from a VPN client on the PC to the VPN Server? The client
>will and server will Symantec, if that matters, but I would like to pass
>through arbitrary IPSec. I don't believe this is hard, as most
>commodity SOHO routers support ``VPN Passthrough'' as part of their NAT
>offering, and just knowing what they do would be sufficient (I'm fluent
>with iptables, but not with IPSec).
>
>I would be happy with a solution which only works for one PC.
>
>>From basic reading, I believe I need to use IKE key exchange, pass
>outbound UDP traffic headed for a remote port 500 through (applying
>simply the SNAT but leaving the source port alone) and use DNAT to pass
>incoming traffic for port 500 on the NAT host to port 500 on the VPN
>client. I think I can use SPI tracking on more recent kernels to
>discriminate.
>
>Am I on the right lines?
>
>ian
>

---

• Next message: Birger Toedtmann: "Re: VPN Passthrough with iptables"
• Previous message: Wayne SIKORSKI: "Re: Zone Alarm "Auto Dial" Problem"
• In reply to: Ian G Batten: "VPN Passthrough with iptables"
• Next in thread: Ian G Batten: "Re: VPN Passthrough with iptables"
• Reply: Ian G Batten: "Re: VPN Passthrough with iptables"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall ... My belief is that your NAT ... My understanding is that IPSec AH protocol does not work with NAT devices ... IPSec operates in either one of two modes - transport mode or tunnel mode. ... provide a VPN remote access solution. ... (microsoft.public.win2000.security) Re: IPsec + NAT + mehrere Tunnelendpunkte ... >> Verbindung zu ihrem Firmennetz per VPN aufbauen können. ... Cisco verwendet zum Bleistift Port 2000 dafuer. ... >> weiteren IPsec Tunnel zu einem anderen Endpunkt aufbauen möchte. ... > Dieser USR^W3Com NAT-Router bei ihm, ... (de.comp.security.firewall) Re: Linux v Dedicated NAT routers - secure remote differences ... I think I have got the core of the issue, I assume you are using an IPsec ... VPN, so here is a quote form a Cisco paper on VPNs: ... NAT After IPSec ... then your Linux may not forward GRE for some reason. ... (comp.security.firewalls) Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall ... external VPN servers? ... > I did know you have Linux for NAT and my original suggestions still stand. ... > solution has IPsec passthrough, ... (microsoft.public.win2000.security) Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall ... I did know you have Linux for NAT and my original suggestions still stand. ... Windows 2000 server through a Linux router with NAT. ... solution has IPsec passthrough, NAT breaks IPsec AH. ... regardless of what vendor you're using for NAT and VPN. ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)