[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Ipsec behind linux FireWall

I was just reading about this this weekend. From my very limited
understanding you cannot have IPSec w/ AH connections that go through
a masqing firewall. There is some problem with the key exchange sequence and
also with the hashes that are generated from the src address, src
port, etc that are required by AH. The two may be related. I think
that the hash is stored in the payload and there is no way for the
masqing firewall to rewrite that information and not break
AH. Possible solutions are:

1) Do not do masqing on your firewall. If your inside addresses are
routable then you can just use the firewall to limit what can pass
from outside to inside and disable masq.

2) Do not use AH.

3) Have the workstations do regular ol' IPv4 and only do IPSec between
the two gateways. Like this:

Cloud ---> VPN gateway -------><-------- VPN gateway <--- Cloud
       ^                      ^                        ^
      IPv4                  IPSec                     IPv4 

This is all from a quick glance at the VPN and IPSec HOWTO's at
linuxdoc.org. Please read them yourself and ask around because I am
not an expert on IPSec. I think that what I have written is correct
though. Also, there are tradeoffs for 1-3 that I have not

Nathan Valentine - nathan@uky.edu
University of Kentucky Distributed Computing Systems Lab
AIM: NRVesKY ICQ: 39023424

Reply to: