LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 08-23-2005, 11:07 AM   #1
pmcdaid
LQ Newbie
 
Registered: Jun 2004
Posts: 9

Rep: Reputation: 0
IPSec Branch Office tunnel and NAT


Hi,
I have two Redhat linux PC's with the latest Fedora core installed. I want to set up the following network:

eth1 eth0
10.10.10.x------Srvr1----192.168.1.1------+
|
| IPSec Branch Office tunnel.
|
11.11.11.x------Srvr2----192.168.1.2------+
eth1 eth0

I want to turn NAT on eth0 of both Srvr1 and Srvr2.

So all traffic from the 10.10.10.x/24 network is going to get nated to 192.168.1.1 and sent over the network and all traffic from 11.11.11.x/24 is going to get nat'ed to 192.168.1.2

I want the traffic to get NAT'ed and then to go through the IPSec tunnel

On Srvr1 I set up the following SPDs:

192.168.1.2[any] 192.168.1.1[any] any
in ipsec
esp/tunnel/192.168.1.2-192.168.1.1/require
created: Aug 23 17:29:49 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1568 seq=2 pid=20042
refcnt=1
192.168.1.1[any] 192.168.1.2[any] any
out ipsec
esp/tunnel/192.168.1.1-192.168.1.2/require
created: Aug 23 17:29:49 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1561 seq=1 pid=20042
refcnt=1
192.168.1.2[any] 192.168.1.1[any] any
fwd ipsec
esp/tunnel/192.168.1.2-192.168.1.1/require
created: Aug 23 17:29:49 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1578 seq=0 pid=20042
refcnt=1

So I then try a simple ping from Srvr1:
ping -I eth0 192.168.1.2
I can see IPSec trying to set up the tunnel, but no ISAKMP packets are sent over the network. Why is this? Is it because the 192.168.1.2 is in the Remote Accessible Network list? i.e. it can't send the ISAKMP packet as it needs to set up the IPSec tunnel to do this (ala chicken and the egg style!!!)

Is there any way to force packets through the SPDs and out?

Thanks in advance for your responses,
Paul McDaid.
 
Old 08-23-2005, 11:08 AM   #2
pmcdaid
LQ Newbie
 
Registered: Jun 2004
Posts: 9

Original Poster
Rep: Reputation: 0
The connection is from eth0 to eth0 192.168.1.1 -> 192.168.1.2. The graphic didn't come out correctly in the original post.
 
Old 08-24-2005, 05:59 AM   #3
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
Insert the graphic as and use the "review" function to see it works before posting it..
 
Old 08-24-2005, 11:41 AM   #4
pmcdaid
LQ Newbie
 
Registered: Jun 2004
Posts: 9

Original Poster
Rep: Reputation: 0
Microtik Router seems to handle condition

I did some searching on the web today and found this in the following site:

http://www.mikrotik.com/docs/ros/2.8/ip/ipsec

----------------------
IKE Traffic
To avoid problems with IKE packets hit some SPD rule and require to encrypt it with not yet established SA (that this packet perhaps is trying to establish), locally originated packets with UDP source port 500 are not processed with SPD. The same way packets with UDP destination port 500 that are to be delivered locally are not processed in incoming policy check.
---------------------

This seems to be the problem that I'm experiencing. Does anyone know of any patches to the IPSec code that will skip over the SPD for ISAKMP packets (port 500)?
 
Old 08-25-2005, 03:48 AM   #5
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
When you set up IPSEC you will have a separate interface name for the tunnel.
You will need to set up static routes to say where to find each remote from each source so that packets are routed down the tunnel correctly.
This means you don't need to NAT down the ipsec tunnel interface.
 
Old 08-25-2005, 04:22 AM   #6
pmcdaid
LQ Newbie
 
Registered: Jun 2004
Posts: 9

Original Poster
Rep: Reputation: 0
Hi Peter,
The FreeBSD/KAME approach is to use SPD and not static routes to force the traffic down the tunnel. This means that the SPD overrides the routes.

I can use a simpler example where I set the local and remote Accessible networks equal to the endpoint ddresses:


Hi Peter,
The FreeBSD/KAME approach is to use SPD and not static routes to force the traffic down the tunnel. This means that the SPD overrides the routes.

I can use a simpler example where I set the local and remote Accessible networks equal to the endpoint addresses:

|server1|---------------------------|Server2|
192.168.1.1


Server1 eth0 = 192.168.1.1
Server2 eth0 = 192.168.1.2

On Server 1:
Local Endpoint Address = 192.168.1.1
Remote Endpoint Address = 192.168.1.2
Local Accessible Network = 192.168.1.1/255.255.255.255
Remote Accessible Network = 192.168.1.2/255.255.255.255

Server 2 has the settings swapped.

So if I ping from Server1 to Server2. Server1 tries to set up an IPSec tunnel by trying to send it's first ISAKMP packet. However the ISAKMP packet never gets out as it matches the local/remote accessible network (192.168.1.1/192.168.1.2) so the tunnel never gets established.
 
Old 08-25-2005, 05:22 AM   #7
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
This is a common routing problem with VPNs when they have the same subnet at each end..

The long term solution is to change subnet numbers at one site..

A short term solution is to add a second virtual ip number to the pcs receiving the vpn traffic. eg 192.168.3.x at one site & 192.168.4.x at the other..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPsec fails to open tunnel KaMakani Linux - Networking 0 10-12-2005 11:54 PM
IPSec tunnel over multiple interfaces tylerl Linux - Networking 0 07-21-2005 05:07 PM
Problems after IPsec tunnel establishment bkankur Linux - Security 1 03-24-2005 05:42 AM
IPSEC Tunnel behind NAT pssst_yeah_you Linux - Networking 0 06-23-2004 04:54 PM
2.6 IPSEC Tunnel mode gateway mhiggins Linux - Networking 1 02-28-2004 01:50 PM


All times are GMT -5. The time now is 05:16 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration