Marshall, True IPSec is not NAT friendly. The reason is because the client connects to the VPN Server, whether it was TCP/UDP and says...I want a VPN Connection. The VPN Server, if it is IPSec, will then create a GRE tunnel directly to the client. The reason it won't work via NAT is because you are modifying the headers of the packet at the NAT device, therefore destroying the integrity of the packet because the checksums that are sent through (inside the encrypted tunnel) no longer match the packet.
Now, Cisco (and many others) allow for the modification of the header to happen, and ignores the header information. This allows you to NAT the packets to the clients via the Destination NAT rules. You will have to create two rules, one that says DNAT UDP traffic from x.x.x.x port xx to [PUBLIC IP] DNAT to y.y.y.y port xx (use the private IP you are trying to NAT outbound for y.y.y.y). You also need to DNAT (protocol) 47 from x.x.x.x to [PUBLIC IP] DNAT to y.y.y.y. If you do it specifically from the VPN server they are trying to contact, you are still able to do the same IPSec forwarding to other clients. PPTP is Microsoft's answer to NAT and VPN. It is VPN friendly, but it "Supposedly" is less secure...but it is fine for most businesses, and works WELL behind NAT on either end. Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rabbtux rabbtux Sent: Tuesday, January 16, 2007 1:23 AM To: WISPA General List Subject: Re: [WISPA] IPsec/UDP and my border NAT gateway I have one rule that I thought would work with all NAT friendly vpns: # Masquerade for wireless 10.10.0.0 iptables -A POSTROUTING -s 10.10.0.0/16 -o ppp0 -j MASQUERADE So is this Centerbeam VPN not 'NAT friendly'? I don't currently have the option to pass routable IPs to customers :( On 1/15/07, Frank <[EMAIL PROTECTED]> wrote: > I seem to remember specifically allowing this UDP years ago when I used > iptables, ipfwm and ipchains. > > Once these rules were in place, the Cisco VPN (encapsulated inside UDP) > worked fine. > > Frank > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Dennis > > Burgess - 2K Wireless > > Sent: Monday, January 15, 2007 4:36 PM > > To: 'WISPA General List' > > Subject: RE: [WISPA] IPsec/UDP and my border NAT gateway > > > > In case someone ddi'ent say, if they are using CISCO IPSEC, > > etc, what happen > > is this. > > > > 1. Client requests via TCP to start a VPN session > > 2. Server sends back UDP packets to start the session > > 3. NAT/MASQ blocks these un-authed UDP packets. > > > > The two anaswers are. > > > > 1. Tell the customer to change their CISCO VPN client to TCP, > > works just as > > good. > > 2. Have the customer pay for a business account and a static IP. > > > > Those are my options for these customers, I have a number of them. > > > > Denni > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > > Behalf Of rabbtux rabbtux > > Sent: Monday, January 15, 2007 1:45 PM > > To: WISPA General List > > Subject: [WISPA] IPsec/UDP and my border NAT gateway > > > > Anyone have suggestions on what I need to do to allow my customer to > > do this type of VPN. I currently have customers behind my > > linux/iptables firewall that masquerades them out a single IP. This > > is the first customer who is having problems. Do I need a special > > rule to accomodate them?? > > > > The customer is using CenterBeam VPN services, and they tell him that, > > "your isp is blocking VPN pass thru". I'm not blocking anything. > > help! > > > > Thank you kindly, > > marshall > > -- > > WISPA Wireless List: wireless@wispa.org > > > > Subscribe/Unsubscribe: > > http://lists.wispa.org/mailman/listinfo/wireless > > > > Archives: http://lists.wispa.org/pipermail/wireless/ > > > > > > > > -- > > WISPA Wireless List: wireless@wispa.org > > > > Subscribe/Unsubscribe: > > http://lists.wispa.org/mailman/listinfo/wireless > > > > Archives: http://lists.wispa.org/pipermail/wireless/ > > > > -- > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
