IPSec behind Firewall

Patrick Ethier patrick at SECUREOPS.COM
Wed Jan 26 10:41:48 EST 2000


Hi,

 I've not tried NAT with ISAKMP myself yet but here is why I think it may
not work(Please somebody correct me if I am wrong or not totally right so I
can add this to the VPN docs).

 Firstly, which host is behind the NAT and which one has a normal IP with
normal routing? The question for this is that the host behind the NAT box
must initiate the Phase 1 security association.Let us call host B not behind
the NAT box. It does not need any IP = NAME entries in Phase 1 but it does
need a DEFAULT = NAME entry. The same goes for the Phase 2 section.

You cannot use AH also, the reason being that an IPSec packet looks like
this

 [IP][AH][ESP] (The ESP encapsulates the packet sent to the internal lan on
the host A side). Nat strips off [IP][AH] and replaces it with [IP] of the
NAT box. So, don't use NAT with AH.

As for the rest, you may run into fragmentation issues also.

Try the following conf.

On host B(Behind the NAT)

[General]
Normal config
[Phase 1]

default= HOSTA_NAME

[Phase 2]

default= HOSTA_HOSTB

[HOSTA_NAME]
Normal config except the IP address must be that of the translated NAT box
for proper authentication.
(I believe that the Local-Address value does not get transmitted)


[HOSTA_HOSTB]
Normal Config


Let me know what comes up. If someone could give me a more scientific
explanation as to the problems with IPSec and NAT I\d gladly it it to the
VPN doc.

> -----Original Message-----
> From: Chris Goellner [mailto:chris.goellner at corp.bellsouth.net]
> Sent: Tuesday, January 25, 2000 2:47 PM
> To: misc at openbsd.org
> Subject: IPSec behind Firewall
>
>
> I think this question has been asked many times so I'm sorry
> for asking
> again.
>
> I have two OpenBSD boxes that I want to create a VPN between.
> I'm using
> the basic config from the man pages and I've read and reread the
> secureops.com pages. I've even gotten one of the gateways to work with
> PGPNet VPN.
>
> The problem is the new gateway is behind a static NAT. I've tried
> every combination of the private and public address to get the two to
> speak but I keep getting NO_PROPOSAL_CHOSEN.
>
> I've checked everything, the policy files match the shared secrets
> and the Phase 1 stuff looks right. My only guess is that the NAT is
> somehow causing a problem.
>
> Can anyone provide any input.
>
> FYI, the NAT is through a Cisco with no ACL's and the tcpdump's look
> right, they show both guys talking to each other.
>
> Config Files Follow (names changed to protect the innocent)
>
> ########
> # Host A
> ########
>
> [General]
> Policy-File=		/etc/isakmpd.policy
> Retransmits=		5
> Exchange-max-time=	120
> Listen-on=		HostA-private
>
> [Phase 1]
> HostB-public=		HostB
>
> [Phase 2]
> Connections=		HostA-HostB
>
> [HostB]
> Phase=			1
> Transport=		udp
> Local-address=		HostA-private
> Address=		HostB-public
> Configuration=		Default-main-mode
> Authentication=		beavis
> Flags=			Stayalive
>
> [HostA-HostB]
> Phase=			2
> ISAKMP-peer=		HostB
> Configuration=		Default-quick-mode
> Local-ID=		Net-A
> Remote-ID=		Net-B
> Flags=			Stayalive
>
> [Net-A]
> ID-type=		IPV4_ADDR_SUBNET
> Network=		172.16.0.0
> Netmask=		255.255.0.0
>
> [Net-B]
> ID-type=		IPV4_ADDR_SUBNET
> Network=		192.168.0.0
> Netmask=		255.255.255.0
>
> [Default-main-mode]
> DOI=			IPSEC
> EXCHANGE_TYPE=		ID_PROT
> Transforms=		3DES-SHA
>
> [Default-quick-mode]
> DOI=			IPSEC
> EXCHANGE_TYPE=		QUICK_MODE
> Suites=			
> QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE
>
> #######################
> # Begin Listed Transforms
> #######################
>
> [3DES-SHA]
> ENCRYPTION_ALGORITHM=           3DES_CBC
> HASH_ALGORITHM=                 SHA
> AUTHENTICATION_METHOD=          ANY
> GROUP_DESCRIPTION=              MODP_1024
> PRF=                            Any
> Life=                           LIFE_3600_SECS
>
> [QM-ESP-3DES-SHA-PFS-SUITE]
> Protocols=                      QM-ESP-3DES-SHA-PFS
>
> [QM-ESP-3DES-SHA-PFS]
> PROTOCOL_ID=                    IPSEC_ESP
> Transforms=                     QM-ESP-3DES-SHA-PFS-XF
>
> [QM-ESP-3DES-SHA-PFS-XF]
> TRANSFORM_ID=                   3DES
> ENCAPSULATION_MODE=             TUNNEL
> AUTHENTICATION_ALGORITHM=       HMAC_SHA
> GROUP_DESCRIPTION=              MODP_1024
> Life=                           LIFE_600_SECS
>
> [QM-ESP-DES-MD5-SUITE]
> Protocols=                      QM-ESP-DES-MD5
>
> #######################
> # End Listed Transforms
> #######################
>
> [LIFE_600_SECS]
> LIFE_TYPE=		SECONDS
> LIFE_DURATION=		600,450:720
>
> [LIFE_3600_SECS]
> LIFE_TYPE=		SECONDS
> LIFE_DURATION=		3600,1800:7200
>
> [LIFE_1000_KB]
> LIFE_TYPE=		KILOBYTES
> LIFE_DURATION=		1000,768:1536
>
> [LIFE_32_MB]
> LIFE_TYPE=		KILOBYTES
> LIFE_DURATION=		32768,16384:65536
>
> [LIFE_4.5_GB]
> LIFE_TYPE=		KILOBYTES
> LIFE_DURATION=		4608000,4096000:8192000
>
> # Certificates stored in PEM format
> [X509-certificates]
> CA-directory=		/etc/isakmpd/ca/
> Cert-directory=		/etc/isakmpd/certs/
> #Accept-self-signed=	defined
> Private-key=		/etc/isakmpd/private/local.key
>
>
> ########
> # Host B
> ########
>
> [General]
> Policy-File=		/etc/isakmpd.policy
> Retransmits=		5
> Exchange-max-time=	120
> Listen-on=		HostB-public
>
> [Phase 1]
> HostA-public=		HostA
>
> [Phase 2]
> Connections=		HostB-HostA
>
> [HostA]
> Phase=			1
> Transport=		udp
> Local-address=		HostB-public
> Address=		HostA-public
> Configuration=		Default-main-mode
> Authentication=		beavis
> Flags=			Stayalive
>
> [HostB-HostA]
> Phase=			2
> ISAKMP-peer=		HostA
> Configuration=		Default-quick-mode
> Local-ID=		Net-B
> Remote-ID=		Net-A
> Flags=			Stayalive
>
> [Net-A]
> ID-type=		IPV4_ADDR_SUBNET
> Network=		192.168.0.0
> Netmask=		255.255.255.0
>
> [Net-B]
> ID-type=		IPV4_ADDR_SUBNET
> Network=		172.16.0.0
> Netmask=		255.255.0.0
>
> [Default-main-mode]
> DOI=			IPSEC
> EXCHANGE_TYPE=		ID_PROT
> Transforms=		3DES-SHA
>
> [Default-quick-mode]
> DOI=			IPSEC
> EXCHANGE_TYPE=		QUICK_MODE
> Suites=			
> QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-SUITE
>
> #######################
> # Begin Listed Transforms
> #######################
>
> [3DES-SHA]
> ENCRYPTION_ALGORITHM=		3DES_CBC
> HASH_ALGORITHM=			SHA
> AUTHENTICATION_METHOD=		ANY
> GROUP_DESCRIPTION=		MODP_1024
> PRF=				Any
> Life=				LIFE_3600_SECS
>
> [QM-ESP-3DES-SHA-PFS-SUITE]
> Protocols=			QM-ESP-3DES-SHA-PFS
>
> [QM-ESP-3DES-SHA-PFS]
> PROTOCOL_ID=			IPSEC_ESP
> Transforms=			QM-ESP-3DES-SHA-PFS-XF
>
> [QM-ESP-3DES-SHA-PFS-XF]
> TRANSFORM_ID=			3DES
> ENCAPSULATION_MODE=		TUNNEL
> AUTHENTICATION_ALGORITHM=	HMAC_SHA
> GROUP_DESCRIPTION=		MODP_1024
> Life=				LIFE_600_SECS
>
> [QM-ESP-DES-MD5-SUITE]
> Protocols=			QM-ESP-DES-MD5
>
> #######################
> # End Listed Transforms
> #######################
>
> [LIFE_600_SECS]
> LIFE_TYPE=		SECONDS
> LIFE_DURATION=		600,450:720
>
> [LIFE_3600_SECS]
> LIFE_TYPE=		SECONDS
> LIFE_DURATION=		3600,1800:7200
>
> [LIFE_1000_KB]
> LIFE_TYPE=		KILOBYTES
> LIFE_DURATION=		1000,768:1536
>
> [LIFE_32_MB]
> LIFE_TYPE=		KILOBYTES
> LIFE_DURATION=		32768,16384:65536
>
> [LIFE_4.5_GB]
> LIFE_TYPE=		KILOBYTES
> LIFE_DURATION=		4608000,4096000:8192000
>
> # Certificates stored in PEM format
> [X509-certificates]
> CA-directory=		/etc/isakmpd/ca/
> Cert-directory=		/etc/isakmpd/certs/
> #Accept-self-signed=	defined
> Private-key=		/etc/isakmpd/private/local.key
>

VPN is sponsored by SecurityFocus.COM





More information about the VPN mailing list