On Sun, 2002-11-17 at 20:33, [EMAIL PROTECTED] wrote: > On Sat, 16 Nov 2002, at 11:15am, [EMAIL PROTECTED] wrote: > >> Please inform your husband that his firewall > >> needs to allow outbound UDP port 50 and IP > >> protocol 500. > > That is incorrect in at least one way, and likely two.
As are you ;-) > Most likely, your wife's IT department is using IPsec with IKE and ESP. Judging by the subject line, I would also guess that they are using a Nortel Contivity switch. > You also need to allow ESP (Encapsulated Security Payload), which is IP > protocol 51. ESP encapsulates an IP datagram in another datagram, adding > authentication and encryption. The authentication is only done on the > encapsulated datagram, so you can rewrite the outer datagram's header > without fear of it being rejected. > > IP protocol 50 is AH (Authentication Header), which is not compatible with > NAT. AH adds authentication information to an IP datagram without > encapsulating it; it provides only authentication, not encryption. Because > NAT modifies the headers of IP datagrams, it is not compatible with AH. > Fortunately for you, however, AH is (currently) rarely used. It's the other way around. ESP is protocol 50 and AH is protocol 51. Other than that one minor detail, Ben is correct on this ;-) > > > If he is doing NAT, then there needs to be a way to let an IPsec tunnel > > through without manipulating the packet. > > Not possible. NAT, by definition, modifies the packet header. > Fortunately for you, I suspect your wife's employer's IT guy does not really > understand what he is talking about. (This is less fortunate for your > wife's employer.) Chances are, the IT guy is reading the Contivity switch manual and just repeating what is in it. IMNSHO, remote access should not be lumped in with "IT". It should be it's own group..... > > Is my firewall scrogging us? > > Yes, but that is likely easily fixed. What distribution and release are > you running? What version of the Linux kernel? What kind of firewall > (IPCHAINS, IPTABLES)? Where did the firewall com from (with the > distribution, third-party, do-it-yourself)? Either way, check out John Hardin's VPN Masquerade pages. If you're using a 2.2 kernel, you will need the VPN masq. patch. http://www.impsec.org/linux/masquerade/ip_masq_vpn.html http://www.impsec.org/~jhardin/ C-Ya, Kenny -- ---------------------------------------------------------------------------- "Tact is just *not* saying true stuff" -- Cordelia Chase Kenneth E. Lussier Sr. Systems Administrator Zuken, USA PGP KeyID CB254DD0 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xCB254DD0 _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
