RE: [WISPA] IPsec/UDP and my border NAT gateway
Marshall, True IPSec is not NAT friendly. The reason is because the client connects to the VPN Server, whether it was TCP/UDP and says...I want a VPN Connection. The VPN Server, if it is IPSec, will then create a GRE tunnel directly to the client. The reason it won't work via NAT is because you are modifying the headers of the packet at the NAT device, therefore destroying the integrity of the packet because the checksums that are sent through (inside the encrypted tunnel) no longer match the packet. Now, Cisco (and many others) allow for the modification of the header to happen, and ignores the header information. This allows you to NAT the packets to the clients via the Destination NAT rules. You will have to create two rules, one that says DNAT UDP traffic from x.x.x.x port xx to [PUBLIC IP] DNAT to y.y.y.y port xx (use the private IP you are trying to NAT outbound for y.y.y.y). You also need to DNAT (protocol) 47 from x.x.x.x to [PUBLIC IP] DNAT to y.y.y.y. If you do it specifically from the VPN server they are trying to contact, you are still able to do the same IPSec forwarding to other clients. PPTP is Microsoft's answer to NAT and VPN. It is VPN friendly, but it Supposedly is less secure...but it is fine for most businesses, and works WELL behind NAT on either end. Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rabbtux rabbtux Sent: Tuesday, January 16, 2007 1:23 AM To: WISPA General List Subject: Re: [WISPA] IPsec/UDP and my border NAT gateway I have one rule that I thought would work with all NAT friendly vpns: # Masquerade for wireless 10.10.0.0 iptables -A POSTROUTING -s 10.10.0.0/16 -o ppp0 -j MASQUERADE So is this Centerbeam VPN not 'NAT friendly'? I don't currently have the option to pass routable IPs to customers :( On 1/15/07, Frank [EMAIL PROTECTED] wrote: I seem to remember specifically allowing this UDP years ago when I used iptables, ipfwm and ipchains. Once these rules were in place, the Cisco VPN (encapsulated inside UDP) worked fine. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Burgess - 2K Wireless Sent: Monday, January 15, 2007 4:36 PM To: 'WISPA General List' Subject: RE: [WISPA] IPsec/UDP and my border NAT gateway In case someone ddi'ent say, if they are using CISCO IPSEC, etc, what happen is this. 1. Client requests via TCP to start a VPN session 2. Server sends back UDP packets to start the session 3. NAT/MASQ blocks these un-authed UDP packets. The two anaswers are. 1. Tell the customer to change their CISCO VPN client to TCP, works just as good. 2. Have the customer pay for a business account and a static IP. Those are my options for these customers, I have a number of them. Denni -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rabbtux rabbtux Sent: Monday, January 15, 2007 1:45 PM To: WISPA General List Subject: [WISPA] IPsec/UDP and my border NAT gateway Anyone have suggestions on what I need to do to allow my customer to do this type of VPN. I currently have customers behind my linux/iptables firewall that masquerades them out a single IP. This is the first customer who is having problems. Do I need a special rule to accomodate them?? The customer is using CenterBeam VPN services, and they tell him that, your isp is blocking VPN pass thru. I'm not blocking anything. help! Thank you kindly, marshall -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] IPsec/UDP and my border NAT gateway
You have to create a rule to allow the GRE tunnel back to your customer from the VPN Server IP. Are you forwarding ALL public IP traffic to his private IP? I believe it is Protocol 47 or something like that. You also need to allow certain udp ports through but I don't remember off the top of my head. Do a quick google on iptables IPSec NAT and you should find what you need. Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rabbtux rabbtux Sent: Monday, January 15, 2007 2:45 PM To: WISPA General List Subject: [WISPA] IPsec/UDP and my border NAT gateway Anyone have suggestions on what I need to do to allow my customer to do this type of VPN. I currently have customers behind my linux/iptables firewall that masquerades them out a single IP. This is the first customer who is having problems. Do I need a special rule to accomodate them?? The customer is using CenterBeam VPN services, and they tell him that, your isp is blocking VPN pass thru. I'm not blocking anything. help! Thank you kindly, marshall -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] IPsec/UDP and my border NAT gateway
On Mon, 15 Jan 2007, rabbtux rabbtux wrote: Anyone have suggestions on what I need to do to allow my customer to do this type of VPN. I currently have customers behind my linux/iptables firewall that masquerades them out a single IP. This is the first customer who is having problems. Do I need a special rule to accomodate them?? Not a special rule, but there are 2 things that have to be correct for this to work. 1. Your NAT device has to be able to handle IPSEC passthrough 2. Your customer's VPN client has to handle IPSEC passthrough. The customer is using CenterBeam VPN services, and they tell him that, your isp is blocking VPN pass thru. I'm not blocking anything. help! Your customer's tech support center is too stupid to tell him what the problem would be. Look here for some information on configuring IPSEC passthrough on Linux iptables: http://www.linux.org/docs/ldp/howto/VPN-Masquerade-HOWTO.html -- Butch Evans Network Engineering and Security Consulting 573-276-2879 http://www.butchevans.com/ My calendar: http://tinyurl.com/y24ad6 Training Partners: http://tinyurl.com/smfkf Mikrotik Certified Consultant http://www.mikrotik.com/consultants.html -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] IPsec/UDP and my border NAT gateway
A Standard Ipsec VPN will use GRE, protocol 47: http://www.iana.org/assignments/protocol-numbers It's not UDP. It appears that CenterBeam VPN uses Cisco gear: http://newsroom.cisco.com/dlls/prod_121201.html If this is the case, then they should be able to encapsulate this into UDP or IP and this should allow the client inside your network to connect. You may need to verify that your iptables rules are allowing any UDP traffic. The Cisco PIX firewalls and their VPN hardware support this type of encapsulation expressly for the purpose of passing through NAT gateways. If the VPN client is not configured for UDP or TCP then there is likely nothing you can do since GRE and NAT are not always friendly to each other. Verify that the Cisco Software VPN client on your customer's PC is set to encapsulate (tunnel) within UDP. You may need some diagnostic tools like a sniffer (ethereal.com) or use tcpdump within your Linux firewall. Also, logging dropped packets in your iptables firewall may also be of assistance. Thank you Frank Keeney Pasadena Networks, LLC Antennas, Cables and Equipment: http://www.wlanparts.com -Original Message- From: rabbtux rabbtux Anyone have suggestions on what I need to do to allow my customer to do this type of VPN. I currently have customers behind my linux/iptables firewall that masquerades them out a single IP. This is the first customer who is having problems. Do I need a special rule to accomodate them?? The customer is using CenterBeam VPN services, and they tell him that, your isp is blocking VPN pass thru. I'm not blocking anything. help! Thank you kindly, marshall -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] IPsec/UDP and my border NAT gateway
In case someone ddi'ent say, if they are using CISCO IPSEC, etc, what happen is this. 1. Client requests via TCP to start a VPN session 2. Server sends back UDP packets to start the session 3. NAT/MASQ blocks these un-authed UDP packets. The two anaswers are. 1. Tell the customer to change their CISCO VPN client to TCP, works just as good. 2. Have the customer pay for a business account and a static IP. Those are my options for these customers, I have a number of them. Denni -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rabbtux rabbtux Sent: Monday, January 15, 2007 1:45 PM To: WISPA General List Subject: [WISPA] IPsec/UDP and my border NAT gateway Anyone have suggestions on what I need to do to allow my customer to do this type of VPN. I currently have customers behind my linux/iptables firewall that masquerades them out a single IP. This is the first customer who is having problems. Do I need a special rule to accomodate them?? The customer is using CenterBeam VPN services, and they tell him that, your isp is blocking VPN pass thru. I'm not blocking anything. help! Thank you kindly, marshall -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] IPsec/UDP and my border NAT gateway
IPSEC uses the GRE, but also traverse UDP. CISCO VPN clints do use UDP, they use GRE to do the establishment sometimes as well.The Cisco VPN client is a pain, regardless, but there is a option for TCP connectivity. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Sent: Monday, January 15, 2007 5:05 PM To: 'WISPA General List' Subject: RE: [WISPA] IPsec/UDP and my border NAT gateway A Standard Ipsec VPN will use GRE, protocol 47: http://www.iana.org/assignments/protocol-numbers It's not UDP. It appears that CenterBeam VPN uses Cisco gear: http://newsroom.cisco.com/dlls/prod_121201.html If this is the case, then they should be able to encapsulate this into UDP or IP and this should allow the client inside your network to connect. You may need to verify that your iptables rules are allowing any UDP traffic. The Cisco PIX firewalls and their VPN hardware support this type of encapsulation expressly for the purpose of passing through NAT gateways. If the VPN client is not configured for UDP or TCP then there is likely nothing you can do since GRE and NAT are not always friendly to each other. Verify that the Cisco Software VPN client on your customer's PC is set to encapsulate (tunnel) within UDP. You may need some diagnostic tools like a sniffer (ethereal.com) or use tcpdump within your Linux firewall. Also, logging dropped packets in your iptables firewall may also be of assistance. Thank you Frank Keeney Pasadena Networks, LLC Antennas, Cables and Equipment: http://www.wlanparts.com -Original Message- From: rabbtux rabbtux Anyone have suggestions on what I need to do to allow my customer to do this type of VPN. I currently have customers behind my linux/iptables firewall that masquerades them out a single IP. This is the first customer who is having problems. Do I need a special rule to accomodate them?? The customer is using CenterBeam VPN services, and they tell him that, your isp is blocking VPN pass thru. I'm not blocking anything. help! Thank you kindly, marshall -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] IPsec/UDP and my border NAT gateway
I seem to remember specifically allowing this UDP years ago when I used iptables, ipfwm and ipchains. Once these rules were in place, the Cisco VPN (encapsulated inside UDP) worked fine. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Burgess - 2K Wireless Sent: Monday, January 15, 2007 4:36 PM To: 'WISPA General List' Subject: RE: [WISPA] IPsec/UDP and my border NAT gateway In case someone ddi'ent say, if they are using CISCO IPSEC, etc, what happen is this. 1. Client requests via TCP to start a VPN session 2. Server sends back UDP packets to start the session 3. NAT/MASQ blocks these un-authed UDP packets. The two anaswers are. 1. Tell the customer to change their CISCO VPN client to TCP, works just as good. 2. Have the customer pay for a business account and a static IP. Those are my options for these customers, I have a number of them. Denni -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rabbtux rabbtux Sent: Monday, January 15, 2007 1:45 PM To: WISPA General List Subject: [WISPA] IPsec/UDP and my border NAT gateway Anyone have suggestions on what I need to do to allow my customer to do this type of VPN. I currently have customers behind my linux/iptables firewall that masquerades them out a single IP. This is the first customer who is having problems. Do I need a special rule to accomodate them?? The customer is using CenterBeam VPN services, and they tell him that, your isp is blocking VPN pass thru. I'm not blocking anything. help! Thank you kindly, marshall -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] IPsec/UDP and my border NAT gateway
I have one rule that I thought would work with all NAT friendly vpns: # Masquerade for wireless 10.10.0.0 iptables -A POSTROUTING -s 10.10.0.0/16 -o ppp0 -j MASQUERADE So is this Centerbeam VPN not 'NAT friendly'? I don't currently have the option to pass routable IPs to customers :( On 1/15/07, Frank [EMAIL PROTECTED] wrote: I seem to remember specifically allowing this UDP years ago when I used iptables, ipfwm and ipchains. Once these rules were in place, the Cisco VPN (encapsulated inside UDP) worked fine. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Burgess - 2K Wireless Sent: Monday, January 15, 2007 4:36 PM To: 'WISPA General List' Subject: RE: [WISPA] IPsec/UDP and my border NAT gateway In case someone ddi'ent say, if they are using CISCO IPSEC, etc, what happen is this. 1. Client requests via TCP to start a VPN session 2. Server sends back UDP packets to start the session 3. NAT/MASQ blocks these un-authed UDP packets. The two anaswers are. 1. Tell the customer to change their CISCO VPN client to TCP, works just as good. 2. Have the customer pay for a business account and a static IP. Those are my options for these customers, I have a number of them. Denni -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rabbtux rabbtux Sent: Monday, January 15, 2007 1:45 PM To: WISPA General List Subject: [WISPA] IPsec/UDP and my border NAT gateway Anyone have suggestions on what I need to do to allow my customer to do this type of VPN. I currently have customers behind my linux/iptables firewall that masquerades them out a single IP. This is the first customer who is having problems. Do I need a special rule to accomodate them?? The customer is using CenterBeam VPN services, and they tell him that, your isp is blocking VPN pass thru. I'm not blocking anything. help! Thank you kindly, marshall -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] IPsec/UDP and my border NAT gateway
My approach is a little more lazy than most firewall management people provide, I suspect. If a customer isn't able to function within the set of firewall rules that I have set for most of the customers, I add his IP to a whitelist list of IP addresses in my firewall. These addresses don't get any firewalling. If the SRC IP or DST IP is in the whitelist range, then the packet gets accepted. My justification: The main purpose of the firewall is to protect the customer from viruses, vulnerabilities, and the like. It also potentially protects you from things like 'getting your IP range on a spam RBL', but the firewall is mainly to benefit the subscribers. If a customer has gotten this far, he sounds like he has his own NAT firewall at least, and probably doesn't need your protection at the border. Pete Davis NoDial.net rabbtux rabbtux wrote: Anyone have suggestions on what I need to do to allow my customer to do this type of VPN. I currently have customers behind my linux/iptables firewall that masquerades them out a single IP. This is the first customer who is having problems. Do I need a special rule to accomodate them?? The customer is using CenterBeam VPN services, and they tell him that, your isp is blocking VPN pass thru. I'm not blocking anything. help! Thank you kindly, marshall -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/