Re: [opennhrp-devel] NHRP over IPsec with NAT-T issues

Tue, 07 Apr 2015 22:42:48 -0700 

On Fri, 3 Apr 2015 13:47:11 +0000 (UTC)
Scott Bonar <sbo...@gmail.com> wrote:

> I've searched the archives and have not seen a similar issue so
> forgive me if this has already been answered.
> 
> I am running on 3.10.64 kernel and ipsec-tools 0.8.2
> 
> DMVPN using NHRP and IPSec (transport mode) works great until one of
> the spokes is behind a NAT.
> 
> I have IPsec on the hub configured to generate the policy but what I
> am seeing is that when NHRP sends out the registration reply it is
> not getting wrapped by IPsec so that spoke never sees it.
> 
> As you can see below OpenNHRP sees that the registration request has
> been NAT'd.  The address of 10.10.10.2 is the WAN IP address of the
> spoke and 10.0.2.82 is the NAT'd WAN IP address.
> ...
> 
> But for some reason the traffic is not matching these policies.
> 
> The only way I can get it to work is to manually add the following
> policies on the hub which seems like a hack.
> 
> src 0.0.0.0/0 dst 0.0.0.0/0 proto 47 key 1234 
>       dir fwd priority 0 
>       tmpl src 0.0.0.0 dst 0.0.0.0
>               proto esp reqid 0 mode transport
> src 0.0.0.0/0 dst 0.0.0.0/0 proto 47 key 1234 
>       dir in priority 0 
>       tmpl src 0.0.0.0 dst 0.0.0.0
>               proto esp reqid 0 mode transport
> src 0.0.0.0/0 dst 0.0.0.0/0 proto 47 key 1234 
>       dir out priority 0 
>       tmpl src 0.0.0.0 dst 0.0.0.0
>               proto esp reqid 0 mode transport


This is the only setup I've been using. That is having wildcard 0/0
policies to protect all traffic.

I generally prefer the wildcard policy setup; but I can also understand
that in some circumstances having node-to-node specific policies might
be preferable. Unfortunately I have no experience with that.

/Timo


------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
opennhrp-devel mailing list
opennhrp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opennhrp-devel

Reply via email to