On Mon, Feb 09, 2004 at 04:56:40PM +1100, Patrick Lesslie wrote: > I'm trying to get freeswan running on debian stable. The trouble is > there is a cisco router doing DSL and doing NAT to the debian box, > which also masquerades to another internal network. > > Is anyone successfully running freeswan through a router?
Yes, but it's a hack. The problem is that IPSec requires that both source and destination ports for an IKE connection be UDP 500. Now, with a sane NAT engine (*cough* iptables *cough*) this works, because it tries to keep ports the same as much as possible. However, Ciscos don't - you'll get a source port out of the NAT router in the high range, which your other end will take one look at and go "screw that and the horse it rode in on". The way to fix it is to configure the Cisco to do port forwarding of UDP 500 to your IPSec machine inside, and initiate the connection from outside to the public interface. That way both source and dest port will be 500, and your IPSec boxes are none the wiser. Short of making NAT traversal work (and it's a PITA, if only by the fact that there's several different "standards" for doing it), this is the best way if you've got to make it work over a brain-dead NAT device. Naturally, this way won't work for multiple separate VPN endpoints behind your NAT device, but it's better than nothing. Anyway, if you've got VPN connections flying all over the place, then the network design probably needs to be rethought a little, to accomodate those sorts of things more gracefully... - Matt -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
