IPSec behind Firewall

Chris Goellner chris.goellner at CORP.BELLSOUTH.NET
Wed Jan 26 10:55:40 EST 2000


I got it to work with the box behind the NAT using a static NAT. Basically,
I set the everything up using the public address of the NAT.

Now if I can only figure out how to put multiple networks on the tunnel
I would be cooking with gas.

>From -  Patrick Ethier (patrick at secureops.com):

> Hi,
>
>  I've not tried NAT with ISAKMP myself yet but here is why I think it may
> not work(Please somebody correct me if I am wrong or not totally right so I
> can add this to the VPN docs).
>
>  Firstly, which host is behind the NAT and which one has a normal IP with
> normal routing? The question for this is that the host behind the NAT box
> must initiate the Phase 1 security association.Let us call host B not behind
> the NAT box. It does not need any IP = NAME entries in Phase 1 but it does
> need a DEFAULT = NAME entry. The same goes for the Phase 2 section.
>
> You cannot use AH also, the reason being that an IPSec packet looks like
> this
>
>  [IP][AH][ESP] (The ESP encapsulates the packet sent to the internal lan on
> the host A side). Nat strips off [IP][AH] and replaces it with [IP] of the
> NAT box. So, don't use NAT with AH.
>
> As for the rest, you may run into fragmentation issues also.
>
> Try the following conf.
>
> On host B(Behind the NAT)
>
> [General]
> Normal config
> [Phase 1]
>
> default= HOSTA_NAME
>
> [Phase 2]
>
> default= HOSTA_HOSTB
>
> [HOSTA_NAME]
> Normal config except the IP address must be that of the translated NAT box
> for proper authentication.
> (I believe that the Local-Address value does not get transmitted)
>
>
> [HOSTA_HOSTB]
> Normal Config
>
>
> Let me know what comes up. If someone could give me a more scientific
> explanation as to the problems with IPSec and NAT I\d gladly it it to the
> VPN doc.
>
> > -----Original Message-----
> > From: Chris Goellner [mailto:chris.goellner at corp.bellsouth.net]
> > Sent: Tuesday, January 25, 2000 2:47 PM
> > To: misc at openbsd.org
> > Subject: IPSec behind Firewall
> >
> >
> > I think this question has been asked many times so I'm sorry
> > for asking
> > again.
> >
> > I have two OpenBSD boxes that I want to create a VPN between.
> > I'm using
> > the basic config from the man pages and I've read and reread the
> > secureops.com pages. I've even gotten one of the gateways to work with
> > PGPNet VPN.
> >
> > The problem is the new gateway is behind a static NAT. I've tried
> > every combination of the private and public address to get the two to
> > speak but I keep getting NO_PROPOSAL_CHOSEN.
> >
> > I've checked everything, the policy files match the shared secrets
> > and the Phase 1 stuff looks right. My only guess is that the NAT is
> > somehow causing a problem.
> >
> > Can anyone provide any input.
> >
> > FYI, the NAT is through a Cisco with no ACL's and the tcpdump's look
> > right, they show both guys talking to each other.
> >
> > Config Files Follow (names changed to protect the innocent)
> >
> > ########
> > # Host A
> > ########
> >
> > [General]
> > Policy-File=		/etc/isakmpd.policy
> > Retransmits=		5
> > Exchange-max-time=	120
> > Listen-on=		HostA-private
> >
> > [Phase 1]
> > HostB-public=		HostB
> >
> > [Phase 2]
> > Connections=		HostA-HostB
> >
> > [HostB]
> > Phase=			1
> > Transport=		udp
> > Local-address=		HostA-private
> > Address=		HostB-public
> > Configuration=		Default-main-mode
> > Authentication=		beavis
> > Flags=			Stayalive
> >
> > [HostA-HostB]
> > Phase=			2
> > ISAKMP-peer=		HostB
> > Configuration=		Default-quick-mode
> > Local-ID=		Net-A
> > Remote-ID=		Net-B
> > Flags=			Stayalive
> >
> > [Net-A]
> > ID-type=		IPV4_ADDR_SUBNET
> > Network=		172.16.0.0
> > Netmask=		255.255.0.0
> >
> > [Net-B]
> > ID-type=		IPV4_ADDR_SUBNET
> > Network=		192.168.0.0
> > Netmask=		255.255.255.0
> >
> > [Default-main-mode]
> > DOI=			IPSEC
> > EXCHANGE_TYPE=		ID_PROT
> > Transforms=		3DES-SHA
> >
> > [Default-quick-mode]
> > DOI=			IPSEC
> > EXCHANGE_TYPE=		QUICK_MODE
> > Suites=			
> > QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE
> >
> > #######################
> > # Begin Listed Transforms
> > #######################
> >
> > [3DES-SHA]
> > ENCRYPTION_ALGORITHM=           3DES_CBC
> > HASH_ALGORITHM=                 SHA
> > AUTHENTICATION_METHOD=          ANY
> > GROUP_DESCRIPTION=              MODP_1024
> > PRF=                            Any
> > Life=                           LIFE_3600_SECS
> >
> > [QM-ESP-3DES-SHA-PFS-SUITE]
> > Protocols=                      QM-ESP-3DES-SHA-PFS
> >
> > [QM-ESP-3DES-SHA-PFS]
> > PROTOCOL_ID=                    IPSEC_ESP
> > Transforms=                     QM-ESP-3DES-SHA-PFS-XF
> >
> > [QM-ESP-3DES-SHA-PFS-XF]
> > TRANSFORM_ID=                   3DES
> > ENCAPSULATION_MODE=             TUNNEL
> > AUTHENTICATION_ALGORITHM=       HMAC_SHA
> > GROUP_DESCRIPTION=              MODP_1024
> > Life=                           LIFE_600_SECS
> >
> > [QM-ESP-DES-MD5-SUITE]
> > Protocols=                      QM-ESP-DES-MD5
> >
> > #######################
> > # End Listed Transforms
> > #######################
> >
> > [LIFE_600_SECS]
> > LIFE_TYPE=		SECONDS
> > LIFE_DURATION=		600,450:720
> >
> > [LIFE_3600_SECS]
> > LIFE_TYPE=		SECONDS
> > LIFE_DURATION=		3600,1800:7200
> >
> > [LIFE_1000_KB]
> > LIFE_TYPE=		KILOBYTES
> > LIFE_DURATION=		1000,768:1536
> >
> > [LIFE_32_MB]
> > LIFE_TYPE=		KILOBYTES
> > LIFE_DURATION=		32768,16384:65536
> >
> > [LIFE_4.5_GB]
> > LIFE_TYPE=		KILOBYTES
> > LIFE_DURATION=		4608000,4096000:8192000
> >
> > # Certificates stored in PEM format
> > [X509-certificates]
> > CA-directory=		/etc/isakmpd/ca/
> > Cert-directory=		/etc/isakmpd/certs/
> > #Accept-self-signed=	defined
> > Private-key=		/etc/isakmpd/private/local.key
> >
> >
> > ########
> > # Host B
> > ########
> >
> > [General]
> > Policy-File=		/etc/isakmpd.policy
> > Retransmits=		5
> > Exchange-max-time=	120
> > Listen-on=		HostB-public
> >
> > [Phase 1]
> > HostA-public=		HostA
> >
> > [Phase 2]
> > Connections=		HostB-HostA
> >
> > [HostA]
> > Phase=			1
> > Transport=		udp
> > Local-address=		HostB-public
> > Address=		HostA-public
> > Configuration=		Default-main-mode
> > Authentication=		beavis
> > Flags=			Stayalive
> >
> > [HostB-HostA]
> > Phase=			2
> > ISAKMP-peer=		HostA
> > Configuration=		Default-quick-mode
> > Local-ID=		Net-B
> > Remote-ID=		Net-A
> > Flags=			Stayalive
> >
> > [Net-A]
> > ID-type=		IPV4_ADDR_SUBNET
> > Network=		192.168.0.0
> > Netmask=		255.255.255.0
> >
> > [Net-B]
> > ID-type=		IPV4_ADDR_SUBNET
> > Network=		172.16.0.0
> > Netmask=		255.255.0.0
> >
> > [Default-main-mode]
> > DOI=			IPSEC
> > EXCHANGE_TYPE=		ID_PROT
> > Transforms=		3DES-SHA
> >
> > [Default-quick-mode]
> > DOI=			IPSEC
> > EXCHANGE_TYPE=		QUICK_MODE
> > Suites=			
> > QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE
> >
> > #######################
> > # Begin Listed Transforms
> > #######################
> >
> > [3DES-SHA]
> > ENCRYPTION_ALGORITHM=		3DES_CBC
> > HASH_ALGORITHM=			SHA
> > AUTHENTICATION_METHOD=		ANY
> > GROUP_DESCRIPTION=		MODP_1024
> > PRF=				Any
> > Life=				LIFE_3600_SECS
> >
> > [QM-ESP-3DES-SHA-PFS-SUITE]
> > Protocols=			QM-ESP-3DES-SHA-PFS
> >
> > [QM-ESP-3DES-SHA-PFS]
> > PROTOCOL_ID=			IPSEC_ESP
> > Transforms=			QM-ESP-3DES-SHA-PFS-XF
> >
> > [QM-ESP-3DES-SHA-PFS-XF]
> > TRANSFORM_ID=			3DES
> > ENCAPSULATION_MODE=		TUNNEL
> > AUTHENTICATION_ALGORITHM=	HMAC_SHA
> > GROUP_DESCRIPTION=		MODP_1024
> > Life=				LIFE_600_SECS
> >
> > [QM-ESP-DES-MD5-SUITE]
> > Protocols=			QM-ESP-DES-MD5
> >
> > #######################
> > # End Listed Transforms
> > #######################
> >
> > [LIFE_600_SECS]
> > LIFE_TYPE=		SECONDS
> > LIFE_DURATION=		600,450:720
> >
> > [LIFE_3600_SECS]
> > LIFE_TYPE=		SECONDS
> > LIFE_DURATION=		3600,1800:7200
> >
> > [LIFE_1000_KB]
> > LIFE_TYPE=		KILOBYTES
> > LIFE_DURATION=		1000,768:1536
> >
> > [LIFE_32_MB]
> > LIFE_TYPE=		KILOBYTES
> > LIFE_DURATION=		32768,16384:65536
> >
> > [LIFE_4.5_GB]
> > LIFE_TYPE=		KILOBYTES
> > LIFE_DURATION=		4608000,4096000:8192000
> >
> > # Certificates stored in PEM format
> > [X509-certificates]
> > CA-directory=		/etc/isakmpd/ca/
> > Cert-directory=		/etc/isakmpd/certs/
> > #Accept-self-signed=	defined
> > Private-key=		/etc/isakmpd/private/local.key
> >

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list