On Tue, 9 Apr 2002, Antony Stone wrote: > On Monday 08 April 2002 11:52 pm, Ramin Alidousti wrote: > > > > Yes, it can be done - I've done it with FreeS/WAN - it needs absolutely > > > nothing special on the IPtables machine at all - either just NAT > > > everything (this automatically includes TCP, UDP, ESP, ICMP.....) or else > > > make sure that you're natting UDP port 500 (IKE) and protocols 49 & 50 > > > (AH & ESP). > > > > Very strange, Antony. I know that the FreeS/WAN people promote the tunnel- > > mode 100% but how do you NAT an AH packet even in the tunnel-mode, while > > the hash runs over the whole (immutable parts of the) packet including the > > src and the dst addresses? > > Sorry - a sloppy answer on my part - I have only ever done tunnel-mode IPsec, > and I agree completely with your explanation of why NAT can't be done on AH > packets. For ESP it is fine, though.
Actually there is one way - but FreeS/WAN does not play nice due to its insistance on ignoring the kernel routing code. What I do when using full AH/ESP is to route all of that traffic through an IPIP tunnel between the points. In this way both sides can see and deal with each other as full peers. Additionally the IPIP tunnel is quite able to be NAT'ed at any point in between so long as the end result is getting to the terminus. This does put the onus of routing on the kernel so this is only really viable in Linux. Additionally you can provide a multiple hop island route schema that takes care of dynamic addressing quite nicely. > For what it's worth, I believe it is possible to do AH transport mode IPsec > over NAT so long as you do NAT at both ends, and each is the reverse of the > other, so that a packet which gets created with a source & destination > address, is then hashed & encrypted, NATted, sent to the other system, > unNATted, and decrypted & unhashed still matches the destination address of > the machine it's arrived on. I've never bothered trying this, though. > > > BTW, the protocols are 50/ESP and 51/AH (see rfc1700). Your statement about > > the IKE is correct, though, as long as there is only one IKE device behind > > the NAT; otherwise you need to choose different port numbers for each one > > of them. > > Again, sorry for the wrong protocol number - I know ESP is 50, and I knew AH > was one different - I just got it one different the wrong way :-) > > I'd like to think that for most people who are combining IPsec and Netfilter, > tunnel mode will be what they want - I have quite successfully combined these > two on a single box to create a Firewall/VPN system, although if you're doing > this, it pays to do some careful testing of the routing to see when > encryption occurs, when address translation occurs, which device (eth0 or > ipsec0) your packets are coming out of, etc... It's quite complicated, but > believe me it can be done. I use IPSec all the time with NetFilter - I just do not use FreeS/WAN as I prefer to have all of my routing done by routing code/daemons rather than by the IPSec code. > Antony. -------------------------------------------------- Matthew G. Marsh, President Paktronix Systems LLC 1506 North 59th Street Omaha NE 68104 Phone: (402) 932-7250 x101 Email: [EMAIL PROTECTED] WWW: http://www.paktronix.com --------------------------------------------------
