On Monday 08 April 2002 11:52 pm, Ramin Alidousti wrote: > > Yes, it can be done - I've done it with FreeS/WAN - it needs absolutely > > nothing special on the IPtables machine at all - either just NAT > > everything (this automatically includes TCP, UDP, ESP, ICMP.....) or else > > make sure that you're natting UDP port 500 (IKE) and protocols 49 & 50 > > (AH & ESP). > > Very strange, Antony. I know that the FreeS/WAN people promote the tunnel- > mode 100% but how do you NAT an AH packet even in the tunnel-mode, while > the hash runs over the whole (immutable parts of the) packet including the > src and the dst addresses?
Sorry - a sloppy answer on my part - I have only ever done tunnel-mode IPsec, and I agree completely with your explanation of why NAT can't be done on AH packets. For ESP it is fine, though. For what it's worth, I believe it is possible to do AH transport mode IPsec over NAT so long as you do NAT at both ends, and each is the reverse of the other, so that a packet which gets created with a source & destination address, is then hashed & encrypted, NATted, sent to the other system, unNATted, and decrypted & unhashed still matches the destination address of the machine it's arrived on. I've never bothered trying this, though. > BTW, the protocols are 50/ESP and 51/AH (see rfc1700). Your statement about > the IKE is correct, though, as long as there is only one IKE device behind > the NAT; otherwise you need to choose different port numbers for each one > of them. Again, sorry for the wrong protocol number - I know ESP is 50, and I knew AH was one different - I just got it one different the wrong way :-) I'd like to think that for most people who are combining IPsec and Netfilter, tunnel mode will be what they want - I have quite successfully combined these two on a single box to create a Firewall/VPN system, although if you're doing this, it pays to do some careful testing of the routing to see when encryption occurs, when address translation occurs, which device (eth0 or ipsec0) your packets are coming out of, etc... It's quite complicated, but believe me it can be done. Antony.
