Allowing IPsec through NAT
Hi!
I have a suse 9.2 running and enabled with NAT/MASQUERADE.
It has two network cards:
1) External (on the internet)
2) Local Network
My computer (windows) on my LAN has no trouble accessing ANY services
on any other hosts both internally and externally.
The rules in the iptables-firewall are very simple. In effect they block all
incoming except established and related + allow everything from inside
outwards and NATs.
When I try to connect the windows-machine to the other VPN-peer I get an
indication on both the (external) VPN-box and my windows saying that IKE
handshake is ok and a tunnel is in fact up and running. The VPN-Box logs
also say that it's discovered NAT "on the other side" (my windows that is).
The problem is that I can't ping the other side even though the tunnel is up.
This leads me to think that ESP is not handled correctly by my local linux firewall.
If I connect the windows PC onto internet I have no problem at all pinging
and generally connecting to the "other side" of the VPN-peer.
Thus my question is:
What would my iptables-rules be in order to make the ESP-traffic work.
I've also read that if NAT is in the picture there will be UDP-encapsulation of
traffic. Could this be a problem?
I've read through various vpn-howtos and ipsec-howtos, trying out different
firewall rules with no success.
The involved equipment is:
Netscreen 5XP (VPN-box at work)
Windows 2000 with Netscreen software.
SuSE linux 9.2 (NAT).
Hope to hear from you guys!
|