The best solution for IPsec/NAT/ESP/AH is to not include NAT in the
picture at all, ie, terminate the external IPsec session on the NAT
box itself and forward the packets to the machines behind the FW.
Iff the security between the FW and the internal host is an issue,
then I'd suggest to set up another IPsec session between the FW and
that internal host:
Outside world Internal Network
-------------------------><----------------------------------->
------------ -----------------
===== tunnel 1 =====| FW/IPsec |===== tunnel 2 ====| internal host |
------------ -----------------
This way the NAT portion will get excluded and one can use any combination
of ESP/AH, tunnel/transport as he wishes... A little bit more work but much
less headache :-)
Ramin
On Tue, Apr 09, 2002 at 12:12:09AM +0100, Antony Stone wrote:
> On Monday 08 April 2002 11:52 pm, Ramin Alidousti wrote:
>
> > > Yes, it can be done - I've done it with FreeS/WAN - it needs absolutely
> > > nothing special on the IPtables machine at all - either just NAT
> > > everything (this automatically includes TCP, UDP, ESP, ICMP.....) or else
> > > make sure that you're natting UDP port 500 (IKE) and protocols 49 & 50
> > > (AH & ESP).
> >
> > Very strange, Antony. I know that the FreeS/WAN people promote the tunnel-
> > mode 100% but how do you NAT an AH packet even in the tunnel-mode, while
> > the hash runs over the whole (immutable parts of the) packet including the
> > src and the dst addresses?
>
> Sorry - a sloppy answer on my part - I have only ever done tunnel-mode IPsec,
> and I agree completely with your explanation of why NAT can't be done on AH
> packets. For ESP it is fine, though.
>
> For what it's worth, I believe it is possible to do AH transport mode IPsec
> over NAT so long as you do NAT at both ends, and each is the reverse of the
> other, so that a packet which gets created with a source & destination
> address, is then hashed & encrypted, NATted, sent to the other system,
> unNATted, and decrypted & unhashed still matches the destination address of
> the machine it's arrived on. I've never bothered trying this, though.
>
> > BTW, the protocols are 50/ESP and 51/AH (see rfc1700). Your statement about
> > the IKE is correct, though, as long as there is only one IKE device behind
> > the NAT; otherwise you need to choose different port numbers for each one
> > of them.
>
> Again, sorry for the wrong protocol number - I know ESP is 50, and I knew AH
> was one different - I just got it one different the wrong way :-)
>
> I'd like to think that for most people who are combining IPsec and Netfilter,
> tunnel mode will be what they want - I have quite successfully combined these
> two on a single box to create a Firewall/VPN system, although if you're doing
> this, it pays to do some careful testing of the routing to see when
> encryption occurs, when address translation occurs, which device (eth0 or
> ipsec0) your packets are coming out of, etc... It's quite complicated, but
> believe me it can be done.
>
>
> Antony.
