Hi Michael,
First, answering your followup question:
> (Actually if this works...) Do I need any firewall rules for this? I did have
> AH, ESP and UDP500/4500 NAT’d previously.
No you don't, the AIF ipsec-vpn plugin automatically opens ports for an
AstLinux IPsec VPN endpoint as well as supporting forwarding NAT'ed IPsec
traffic. Since you don't have the AstLinux IPsec VPN enabled, the described
"hack" is to to enable the plugin to support forwarding NAT'ed IPsec traffic.
> Interestingly I had a Cisco router working behind it fine but we couldn’t get
> the second VPN up.
Ahhh, that explains a lot.
Note that NAT works with UDP and TCP by using the inbound/outbound 'port' and
inbound/outbound IP address to create a connection tracking hash table.
Clients behind NAT can use multiple UDP/TCP connections to the same public
server since they will each use different ports via NAT at the edge.
Now with IPsec using ESP, a raw IP protocol, there are no ports for the NAT
connection tracking to use for uniqueness. As a result, only one IPsec ESP
client connection can be established to the same public server behind NAT. A
second IPsec ESP client connection will fail as long as the NAT table has an
active, previous IPsec ESP client connection.
The solution to this is to configure the IPsec server and client to use IPsec
NATT (NAT Transversal) where the IPsec payload uses 4500/UDP instead of ESP.
In both cases IPsec IKE uses 500/UDP to negotiate the connection.
In summary (as I see it):
1) If your goal is to establish more than one IPsec ESP client connection to
the *same* public server, the AIF ipsec-vpn plugin "hack" will not help you.
2) If you can use IPsec NATT (NAT Transversal), the AIF ipsec-vpn plugin "hack"
is not needed, that should work with most any NAT router.
Lonnie
Or, just use WireGuard :-)
> On Jun 21, 2023, at 1:01 AM, Michael Knill
> <michael.kn...@ipcsolutions.com.au> wrote:
>
> Thanks Lonnie. I will give it a try.
> Interestingly I had a Cisco router working behind it fine but we couldn’t get
> the second VPN up. We changed it out for a TP-Link router so the customer
> could manage themselves and that didn’t work at all.
>
> Regards
> Michael Knill
>
>
> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
> Date: Tuesday, 20 June 2023 at 11:44 pm
> To: AstLinux Users Mailing List <astlinux-users@lists.sourceforge.net>
> Subject: Re: [Astlinux-users] Running ipsec behind Astlinux
>
> Hi Michael,
>
> Good question...
>
> It sounds like AstLinux needs to perform IPsec pass-through while the
> AstLinux IPsec VPN is not enabled.
>
> As a quick "hack", using the Network tab ...
>
> Firewall Plugins: [ ipsec-vpn ] - { Configure Plugin }
>
> Ignore the "*** Do Not Edit Below Here ***" note and set ENABLED=1 in the
> lower section, per this diff:
>
> -- diff --
> # AstLinux specific mappings, either edit your /mnt/kd/rc.conf file
> # or, use Network tab -> [IPsec Configuration] from the web interface.
> #
> ------------------------------------------------------------------------------
> # Indent script section so script variables won't be merged
>
> - ENABLED=0
> + ENABLED=1
> IPSEC_ALLOWED_HOSTS="0/0"
> IPSEC_VPN_NETS=""
> IPSEC_NAT_TRAVERSAL=0
> vpntype_ipsec=0
> -- diff --
>
> "Save Changes" and "Restart Firewall" to apply the change.
>
> Please report back if this solves your issue.
>
> BTW, alternatively, if the internal IPsec client was configured to use NAT
> Traversal, that should also work without AstLinux firewall tweaks.
>
> Lonnie
>
>
>
> > On Jun 20, 2023, at 3:19 AM, Michael Knill
> > <michael.kn...@ipcsolutions.com.au> wrote:
> >
> > Hi Group
> >
> > I have an ipsec VPN device behind Astlinux and it cannot connect. When I
> > stick the device behind a 4G enabled Mikrotik router then it works fine.
> > What could be the problem? Are there any additional rules I need to add?
> >
> > This is certainly very annoying and hopefully I can fix it before it uses
> > up all my 4G data.
> >
> > Regards
> >
> > Michael Knill
> > Managing Director
> >
> > D: +61 2 6189 1360
> > P: +61 2 6140 4656
> > E: michael.kn...@ipcsolutions.com.au
> > W: ipcsolutions.com.au
> >
> > <image001.png>
> > Smarter Business Communications
> >
> > _______________________________________________
> > Astlinux-users mailing list
> > Astlinux-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> > pay...@krisk.org.
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
