> Date: Sun, 5 Mar 2000 10:02:01 -0600
> From: "Pat Hayden" <[EMAIL PROTECTED]>
> Subject: RE: VPN software behind ipchains
>
> RE: VPN software behind ipchainsI tried to setup ipchains with the firewall
> wide open, and allowed ALL traffic to and from the network. BUT, I suspect
> that somehow IPSEC checksums are being corrupted in the process of NAT,
> because even with the firewall wide open, I could not get a connection. If
> I wanted the extranet connection full time, I would look into setting up the
> firewall for branch tunnelling, but what I really need is an on-demand
> solution.
Warning: I've set up PPTP through Linux firewalls, but not IPSec. The
following is probably pretty close to correct, but I could be wrong on a
few details.
Although Linux supports (static) NAT, most people aren't using it --
they are using "masquerading" instead. Special masquerading code is
needed for PPTP or IPSec masquerading; see
http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html. The standard
masquerading code only forwards TCP and UDP packets. IPSec does use UDP
protocol port 500 packets, but it also uses either ESP or AH protocol
packets. The standard masquerading code can't handle ESP or AH; VPN
masquerading adds ESP support. AH cannot be handled with
masquerading/NAT since it uses checksums on the entire packet, including
the IP header and any rewriting of the header by masquerading or NAT
will make the packet invalid. Apparently most IPSec VPNs use ESP.
Using static NAT instead of VPN masquerading also works (with ESP, not
AH). This requires a separate IP address from the general firewall IP
address; VPN masquerading can share the firewall IP address.
See also http://www.freeswan.org for a Linux based IPSec
implementation.
--
Wes Chalfant Peabody Systems [EMAIL PROTECTED]
(714) 639-8643 FAX (714) 639-2817
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
