Colin (and LEAF list),
Being that I've gotten most of my "LEAF experience" from this list, I feel it's my
turn at bat to contribute to another's minor setback in making the ideal firewall a
reality.
I'm not positive whether or not you'd need the ipsec_nat module just for the IKE
portion of the Cisco IPSec client-to-concentrator connectivity. What I do know is
that the most typical configuration of the Cisco VPN concentrators is such that all
the client needs is to be able to speak IKE (source port UDP 500) to the concentrator
(destination port UDP 500), along with the remaining IPSec-encrypted packets being
encapsulated in a UDP header ("wrapper"), where the default on the concentrator is for
UDP 10000 being the destination port. So, in my best attempt at readable ASCII art,
it would look like this:
SP=Source Port
DP=Destination Port
Protocol Client ----> LEAF (firewall) ----> Internet ----> Cisco VPN box
IKE SP:500/udp standard NAT magic pixie dust DP:500/udp
IPSec SP:10000/udp standard NAT more of same DP:10000/udp
As for the AH and ESP protocols (50/ip and 51/ip) that typically get discussed when
talking about IPSec, you don't need to worry about those as they are encapsulated in
the 10000/udp datagram headers, but AFAIK this is *only* when using the Cisco VPN
client to connect to a Cisco VPN concentrator. In any event, you would clearly need
to allow 500/udp and 10000/udp from your "loc", or LAN segment, to your company's VPN
concentrator, presumably in your "net" zone, and you would need to ensure that these
will be allowed to get masqueraded, although I don't believe you'll need any special
MASQ modules. And, I'm positive that you don't need the ipsec.lrp or ipsec509.lrp if
this is the only VPN that you'll be doing.
Disclaimer: If what I suggest doesn't work, then your company's VPN concentrator
admins may have disabled this UDP encapsulation feature (can't think of a good reason
to do so) or they may have enabled both AH and ESP, which sometimes does not work
through NAT even with the proprietary UDP encap trick. Study your logs carefully when
it doesn't work, then report back to this list. It may even be worth studying logs if
it *does* work just to see how it all works.
On a side note, Cisco was the first to introduce this UDP scheme in order to get
through a NAT-ting firewall and still have the underlying IPSec payload intact and
valid once received by the concentrator. However, I am not positive what other
hardware vendors currently emulate this feature, but I did see mention of this
procedure being an IETF draft for an RFC, which means that we might be seeing more of
this technique from LEAF and other open source firewalls and from other commercial
vendors.
I hope this helps!
Enjoy your holiday season and best of luck in the new year!
Rob Fegley, virtual Bering newbie (i.e. circa this time last year)
-----Original Message-----
From: Colin Helliwell [mailto:[EMAIL PROTECTED]]
Sent: Saturday, December 21, 2002 11:19 AM
To: Colin Helliwell; [EMAIL PROTECTED]
Subject: [leaf-user] Need help with Cisco VPN client through (Dachstein)
LRP
I have an LRP box (running a Dachstein distribution) which has been working
fine for months doing the 'basic' internet access stuff. I now have a Cisco
VPN client installed on my company laptop and am having trouble getting it
to work through the router to the company server - it is currently failing
in the initial 'IKE' negotiation phase, from what I can tell.
Could anyone please advise on what configuration changes would be needed to
LRP and its filter rules etc to get it connecting? The client software is
configured to use UDP rather than TCP. I have looked at a load of howto's
and previous postings, but they mostly seem to refer to when the router box
is one end of the VPN which I don't think applies in my case - I just need
it to route the traffic between my client and company server.
Any advice much appreciated.
-------------------------------------------------------
This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty.
T H I N K G E E K . C O M http://www.thinkgeek.com/sf/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
-------------------------------------------------------
This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty.
T H I N K G E E K . C O M http://www.thinkgeek.com/sf/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
