[VPN] Not another NAT question.. Yes I'm Sorry

Clinton Sigmon casigmon at cryptek.com
Tue Jul 13 14:53:29 EDT 2004


Neo

having public block behind your NAT box should not affect anything.  the 
only time you might see a problem is when your dest is actually those 
addresses on the net, instead of going to your default gw you will hit 
those addresses locally.  you would want to change this in the near future

let me go over what i understand just in case my thought process is off

- you have 2 netscreen ipsec clients behind a netgear VPN/Router 
connecting to another VPN termination somewhere in the world

- the netscreen clients and the other VPN termination point are actually 
the ones creating the tunnel.  the Netgear is simply the NAT router for 
the clients and it's VPN functionality is turned off.

after looking at your log it's pretty apparent that the Netgear is not 
  PAT'ng the packets.  it's leaving the udp source port unmolested which 
would be fine if you had a single ipsec device behind the NAT box. when 
both send encrypted traffic through the NAT router, they both look 
identicial on the WAN except maybe for the IPID and TTL but the NAT 
device does not use these fields to map traffic back.  the NAT router 
usually uses the translated source port and destination IP for this process.


things i would confirm

* confirm VPN passthrough is checked on netgear -> this 
might/should/hopefully/better actually force the netgear to use PAT.

* disable all VPN features of Netgear

do the following after you confirm VPN passthrough is checked

* put a analyzer somewhere in front of WAN interface and capture
   packets, a UDP-E NAT-T packet will USUALLY have all 0's in the
   INITIATOR COOKIE field, it's the 8 bytes after the UDP Header checksum
   also confirm the source port of the packets after they leave the
   netgear.

* call netgear and ask them do they support more than one ipsec device 
behind your particular nat router


if all else fails try using a different nat router.  if nobody likes 
openbsd :-), try m0n0wall, based on freebsd, boots of cd-rom, 
configurable via web, has lots of good features ( IPSec, full control 
over IPF rules, etc ).

sorry for the novel!!!


Clinton Sigmon <casigmon at cryptek.com>
Systems Engineer
Security Engineering
Cryptek, Inc
http://www.cryptek.com



Neo wrote:
> Hey CS, I see this in the logs. Your right, each computer does use UDP 500
> for outbound and inbound ports. Below shows when one user connected to the
> VPN and then I had another use connect. NOTE: the source addresses below are
> actual addresses. My client was set up with these as their private IP's. I
> realize they are public. I did not do this. Was done before my time. Maybe
> that has something to do with things not working? I replaced the Dest.
> address for security purposes.
> 
> The router has two sections under VPN, one being IKE Policies and the other
> is VPN policies. Maybe something can be configured under those sections ,
> which would allow this to work?
> 
> [Tue, 2004-07-13 11:45:06] - UDP Packet - Source:201.1.1.16,500 ,LAN -
> Destination:1.2.3.4,500 ,WAN [Forward] - [Outbound Default rule match]
> 
> [Tue, 2004-07-13 11:47:31] - UDP Packet - Source:201.1.1.96,500 ,LAN -
> Destination:1.2.3.4,500 ,WAN [Forward] - [Outbound Default rule match]
> 
> Joseph Brochu
> Network Administrator
> Transportation Resources, Inc.
> 978-422-7770  x303
> 
> 
> 
> 
> -----Original Message-----
> From: vpn-bounces+neo=thehiddenspot.com at lists.shmoo.com
> [mailto:vpn-bounces+neo=thehiddenspot.com at lists.shmoo.com]On Behalf Of
> Clinton Sigmon
> Sent: Wednesday, July 07, 2004 5:39 PM
> To: Neo
> Cc: vpn at lists.shmoo.com
> Subject: Re: [VPN] Not another NAT question.. Yes I'm Sorry
> 
> 
> Does the Netgear support more than one IPSEC device behind it??
> check the docs.
> 
> i know the old RT311 did not.
> 
> in my previous experience this what i have seen happen in a working
> environment.
> 
> the NAT'd IPSec client uses UDP-E, basically an ESP packet with a UDP
> header with a source and dest port of 500 (IKE). usually the NAT device
> will modify the source port as it processes the packet, what cisco likes
> to call PAT ( port address translation ).  when it is passed out the
> public side it will have source port > 1024 and dest port of 500.
> 
> for example
> 
> [NATclientIPSEC] ---> udp(src=500&dst=500) ---> {NAT-Router)
> ->udp(src=>1024&dst=500)
> 
> sorry for terrible drawing.
> 
> this is to help NAT table map the packet back to the private address.
> 
> your netgear device might not being modifying the source port which in
> turn would allow only 1 ipsec device to talk to a single termination
> point.
> 
> i would love to look at a network capture ( any format ), just take out
> relevant IP info.
> 
> i hope i am on the right track and this helps.  also look into firmware
> upgrades and documentation on the Netgear, if any available.
> 
> 
> cs
> 
> 
> 
> Neo wrote:
> 
>>I have a client using a Netgear FVS328 VPN Router.
>>
>>Runs NAT.
>>
>>The internal workstations use Netscreen Remote VPN client. I cannot get
>>more than one workstation connected at a time. If a user  is in and
>>another connects, the new user boots out the existing user and now that
>>user is in.
>>
>>I am trying to understand somethings by reading but if someone could
>>help me out I would very much appreciate it.
>>
>>What I would like to know is, can this router or the VPN client somehow
>>get around this obvious limitation. NAT Traversal?
>>
>>If I have left out any needed info let me know.
>>
>>//
>>
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>VPN mailing list
>>VPN at lists.shmoo.com
>>http://lists.shmoo.com/mailman/listinfo/vpn
> 
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
> 
> 




More information about the VPN mailing list