On Tue, Feb 10, 2004 at 11:00:09AM +1100, Patrick Lesslie wrote: > On Mon, Feb 09, 2004 at 07:43:37PM +1100, Matthew Palmer wrote: > > The problem is that IPSec requires that both source and destination ports for > > an IKE connection be UDP 500. Now, with a sane NAT engine (*cough* iptables > > *cough*) this works, because it tries to keep ports the same as much as > > possible. However, Ciscos don't - you'll get a source port out of the NAT > > router in the high range, which your other end will take one look at and go > > "screw that and the horse it rode in on". > > > > The way to fix it is to configure the Cisco to do port forwarding of UDP 500 to > > your IPSec machine inside, and initiate the connection from outside to the > > public interface. That way both source and dest port will be 500, and your > > IPSec boxes are none the wiser. > > > > Short of making NAT traversal work (and it's a PITA, if only by the fact that > > there's several different "standards" for doing it), this is the best way if > > you've got to make it work over a brain-dead NAT device. Naturally, this way > > won't work for multiple separate VPN endpoints behind your NAT device, but it's > > better than nothing. > > Ok, I see what you mean now; since I'm forwarding UDP 500 to one > machine, that machine is the only VPN endpoint. > > > Anyway, if you've got VPN connections flying all over the > > place, then the network design probably needs to be rethought a little, to > > accomodate those sorts of things more gracefully... > > I'm curious, how are other people doing this?
I don't have to pass through 2 NAT devices, but I can handle only 1. I use 2.4.22 (from kernel.org), freeswan 2.01-3 (from debian). I use process to make the kernel. It comes x509 patch, NAT-T, dead connection check, extra ciphers (AES,...) and allows for NAT'ing on the box as well. > > Patrick > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
