[VPN] Not another NAT question.. Yes I'm Sorry
Clinton Sigmon
casigmon at cryptek.com
Tue Jul 13 14:53:29 EDT 2004
Neo
having public block behind your NAT box should not affect anything. the
only time you might see a problem is when your dest is actually those
addresses on the net, instead of going to your default gw you will hit
those addresses locally. you would want to change this in the near future
let me go over what i understand just in case my thought process is off
- you have 2 netscreen ipsec clients behind a netgear VPN/Router
connecting to another VPN termination somewhere in the world
- the netscreen clients and the other VPN termination point are actually
the ones creating the tunnel. the Netgear is simply the NAT router for
the clients and it's VPN functionality is turned off.
after looking at your log it's pretty apparent that the Netgear is not
PAT'ng the packets. it's leaving the udp source port unmolested which
would be fine if you had a single ipsec device behind the NAT box. when
both send encrypted traffic through the NAT router, they both look
identicial on the WAN except maybe for the IPID and TTL but the NAT
device does not use these fields to map traffic back. the NAT router
usually uses the translated source port and destination IP for this process.
things i would confirm
* confirm VPN passthrough is checked on netgear -> this
might/should/hopefully/better actually force the netgear to use PAT.
* disable all VPN features of Netgear
do the following after you confirm VPN passthrough is checked
* put a analyzer somewhere in front of WAN interface and capture
packets, a UDP-E NAT-T packet will USUALLY have all 0's in the
INITIATOR COOKIE field, it's the 8 bytes after the UDP Header checksum
also confirm the source port of the packets after they leave the
netgear.
* call netgear and ask them do they support more than one ipsec device
behind your particular nat router
if all else fails try using a different nat router. if nobody likes
openbsd :-), try m0n0wall, based on freebsd, boots of cd-rom,
configurable via web, has lots of good features ( IPSec, full control
over IPF rules, etc ).
sorry for the novel!!!
Clinton Sigmon <casigmon at cryptek.com>
Systems Engineer
Security Engineering
Cryptek, Inc
http://www.cryptek.com
Neo wrote:
> Hey CS, I see this in the logs. Your right, each computer does use UDP 500
> for outbound and inbound ports. Below shows when one user connected to the
> VPN and then I had another use connect. NOTE: the source addresses below are
> actual addresses. My client was set up with these as their private IP's. I
> realize they are public. I did not do this. Was done before my time. Maybe
> that has something to do with things not working? I replaced the Dest.
> address for security purposes.
>
> The router has two sections under VPN, one being IKE Policies and the other
> is VPN policies. Maybe something can be configured under those sections ,
> which would allow this to work?
>
> [Tue, 2004-07-13 11:45:06] - UDP Packet - Source:201.1.1.16,500 ,LAN -
> Destination:1.2.3.4,500 ,WAN [Forward] - [Outbound Default rule match]
>
> [Tue, 2004-07-13 11:47:31] - UDP Packet - Source:201.1.1.96,500 ,LAN -
> Destination:1.2.3.4,500 ,WAN [Forward] - [Outbound Default rule match]
>
> Joseph Brochu
> Network Administrator
> Transportation Resources, Inc.
> 978-422-7770 x303
>
>
>
>
> -----Original Message-----
> From: vpn-bounces+neo=thehiddenspot.com at lists.shmoo.com
> [mailto:vpn-bounces+neo=thehiddenspot.com at lists.shmoo.com]On Behalf Of
> Clinton Sigmon
> Sent: Wednesday, July 07, 2004 5:39 PM
> To: Neo
> Cc: vpn at lists.shmoo.com
> Subject: Re: [VPN] Not another NAT question.. Yes I'm Sorry
>
>
> Does the Netgear support more than one IPSEC device behind it??
> check the docs.
>
> i know the old RT311 did not.
>
> in my previous experience this what i have seen happen in a working
> environment.
>
> the NAT'd IPSec client uses UDP-E, basically an ESP packet with a UDP
> header with a source and dest port of 500 (IKE). usually the NAT device
> will modify the source port as it processes the packet, what cisco likes
> to call PAT ( port address translation ). when it is passed out the
> public side it will have source port > 1024 and dest port of 500.
>
> for example
>
> [NATclientIPSEC] ---> udp(src=500&dst=500) ---> {NAT-Router)
> ->udp(src=>1024&dst=500)
>
> sorry for terrible drawing.
>
> this is to help NAT table map the packet back to the private address.
>
> your netgear device might not being modifying the source port which in
> turn would allow only 1 ipsec device to talk to a single termination
> point.
>
> i would love to look at a network capture ( any format ), just take out
> relevant IP info.
>
> i hope i am on the right track and this helps. also look into firmware
> upgrades and documentation on the Netgear, if any available.
>
>
> cs
>
>
>
> Neo wrote:
>
>>I have a client using a Netgear FVS328 VPN Router.
>>
>>Runs NAT.
>>
>>The internal workstations use Netscreen Remote VPN client. I cannot get
>>more than one workstation connected at a time. If a user is in and
>>another connects, the new user boots out the existing user and now that
>>user is in.
>>
>>I am trying to understand somethings by reading but if someone could
>>help me out I would very much appreciate it.
>>
>>What I would like to know is, can this router or the VPN client somehow
>>get around this obvious limitation. NAT Traversal?
>>
>>If I have left out any needed info let me know.
>>
>>//
>>
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>VPN mailing list
>>VPN at lists.shmoo.com
>>http://lists.shmoo.com/mailman/listinfo/vpn
>
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
>
>
More information about the VPN
mailing list