On Mon, Apr 08, 2002 at 10:34:49PM +0100, Antony Stone wrote: > On Monday 08 April 2002 6:37 pm, Glover George wrote: > > > > I need to add a VPN client( AH+ESP) behind my personal Linux > > > gateway. But the old IP Masquerade on Kernel 2.2 does not > > > support this. So I am thinking to upgrade to the "iptables", > > > if it is able to do the following: > > > > > > 1. Masquerading VPN traffic (AH+ESP) > > > > Although I haven't done it, I believe there's a lot of discussion on > > ipsec's list about it. It may be tough, but I believe it can be done. > > Yes, it can be done - I've done it with FreeS/WAN - it needs absolutely > nothing special on the IPtables machine at all - either just NAT everything > (this automatically includes TCP, UDP, ESP, ICMP.....) or else make sure that > you're natting UDP port 500 (IKE) and protocols 49 & 50 (AH & ESP).
Very strange, Antony. I know that the FreeS/WAN people promote the tunnel- mode 100% but how do you NAT an AH packet even in the tunnel-mode, while the hash runs over the whole (immutable parts of the) packet including the src and the dst addresses? BTW, the protocols are 50/ESP and 51/AH (see rfc1700). Your statement about the IKE is correct, though, as long as there is only one IKE device behind the NAT; otherwise you need to choose different port numbers for each one of them. Ramin > > The trick is in getting the two IPsec machines to talk to each other, and I > found the easiest way to do that was to tell each one what its own IP address > was (the real IP address on the machine), but tell it the translated address > of the other machine (ie the address it can be contacted on from the first > one). That way both machines know who they are themselves, and they both > know how to contact the other. The NAT in the middle just makes sure the > packets get there. > > There are some good tutorials at the FreeS/WAN website which I used to get > this going - it's just a matter of finding the example which most closely > matches your needs and then going from there. > > > Good luck :-) > > > > Antony.
