Hi all,
I have a very strange problem related to use NAT rules with ipsec
communications. I have two StoneGate FWs nodes in front of public adsl lines.
Behind them, I have a pair of OpenBSD servers used only to serve VPN connections
over IPSec protocols familiy (we use isakmpd).
Ok, where is the problem? Problem appears when I need to nat isakmp and
isakmp-nat-t ports on stonegate firewalls. If we disable nat rule on stongate
firewalls, all works ok: clients can connect via IPSec clients. But if we enable
nat rule on stonegate firewalls, any client can connect via IPsec and returns
this error: UNEQUAL_PAYLOAD_LENGTHS.
My rules on SG firewalls are:
Access rule:
- Src: NOT internal networks, Dst: sgfw_public_ip, Ports:
isakmp,isakmp-nat-t, Action: allowed
Nat Rule:
- Src: NOT Internal networks, Dst: sgfw_public_ip, Ports: isakmp,
isakmp-nat-t, Destination: openbsd_fws (carp interface), Ports: same as source.
On OpenBSD sysctl.conf file i have enabled these options:
net.inet.esp.enable=1
net.inet.ah.enable=0
net.inet.esp.udpencap=1
net.inet.ipcomp.enable=1
Do I need to do something else?? I know that it isn't an openbsd problem,
almost I think. But I need to deploy these infraestructure as soon as possible.
Many thanks for your help.
--
CL Martinez
carlopmart {at} gmail {d0t} com
