[Openswan Users] FW: questions based on the VPN behind the NAT Box.

Shi Lang shilang at greenpacket.com
Wed Jan 18 11:56:48 CET 2006 

Hi,

****************************************************************************
(192.168.6.6) VPN1 (192.168.11.1) --- (br0:192.168.11.11) NAT1 (eth0:
192.168.252.198)  -----  (eth0: 192.168.252.199) NAT2 (br0: 192.168.22.22)
--- (192.168.22.2) VPN2 (192.168.8.8)
****************************************************************************

The case is site-to-site VPN, but each site VPN is behind a linux firewall.
VPN1 and VPN2 are not roadwarriers. I did not install the NATT patch.

Regards,
 
Shi Lang
Quality Assurance Engineer
GreenPacket Bhd
www.greenpacket.com 
Tel: 006-03-89966022 ext: 105
E-mail: shilang at greenpacket.com


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Wednesday, January 18, 2006 10:12 AM
To: Shi Lang
Cc: 'Openswan DEV'; 'Tuomo Soini'
Subject: Re: questions based on the VPN behind the NAT Box.

On Wed, 18 Jan 2006, Shi Lang wrote:

> On NAT1 Pure Linux PC I did:
>
> 1. ifconfig eth0:1 192.168.252.104        * 192.168.252.104 is the mapping
> ip of 192.168.11.1, the VPN1's external interface eth0.
>
> 2. iptables -t nat -I POSTROUTING 1 -s 192.168.11.1 -j SNAT --to-source
> 192.168.252.104
>
> 3. iptables -t nat -I POSTROUTING 1 -d 192.168.252.104 -j DNAT --to-dest
> 192.168.11.1
>
> I also did settings on NAT2, mapping 192.168.22.2 to 192.168.252.105.
>
> I have successfully established the tunnel between VPN1 and VPN2.

So you first encrypt/sign the packet, then mangle it "broken" by SNAT,
then "break it some more" with DNAT. If it works, I guess you should count
yourself lucky, and thank Arkoon networks for their NAT-T patch we include.
I am assuming this only works because you are rewriting UDP packets
containing
the IPsec pacets.

> 1.  But my first try is without Leftid and Rightid in the ipsec.conf in
VPN1
> and VPN2,
>
> it failed to establish the M3 negotiation (m1 and m2 in Main Mode is ok, i
> checked with 'ipsec auto --status').
>
> IKE RFC 2409 says: Main Mode, the last two messages authenticate the DH
> exchange.

The default id if not specified is the IP address. So the Id within the
IKE packets contain the original non-NAT'ed IP address. These do not
match the SNAT'ed IP address.

> 2.  But if VPN1 direct to VPN2 (without NAT Box), then without leftid and
> rightid can establish the tunnel at this time.

Yes, because you are not rewriting the IP address you sent as ID.

You can explicitely set a leftid= and rightid=, but the ideal situation is
to not use this NAT approach.

Paul

More information about the Users mailing list