Re: IPsec and IPMasq/Proxy

To: Randy Edwards <redwards@golgotha.net>
Cc: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Re: IPsec and IPMasq/Proxy
From: Phil Brutsche <pbrutsch@tux.creighton.edu>
Date: Sun, 1 Oct 2000 13:32:03 -0500 (CDT)
Message-id: <Pine.LNX.4.21.0010011306210.25211-100000@tux.creighton.edu>
In-reply-to: <39D76B08.965F0CE6@golgotha.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A long time ago, in a galaxy far, far way, someone said...

> I ran into some trouble using a Debian box as an IP Masq gateway (also
> running Squid) to a network which uses a VPN box employing IPsec.  The
> ISP's tech support said that GNU/Linux was incapable of doing NAT properly
> with IPsec and that I'd have to kill the NAT and proxy to make things
> work.

They're almost right - Kernel 2.2 doesn't like to do NAT on IP protocols
other than TCP and UDP.  I think that may change for 2.4, but don't quote
me on that.

However, it can be done, with special tools and relatively minor and
well-tested kernel modifications.

ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html has all
the information you need.

You do need to realise, however, that there can be one and only one IPsec
device behind the NAT firewall.  Ditto with MS' PPTP VPN stuff.

Another solution would be to put IPsec on Linux: http://www.freeswan.org.  
I've heard good reports on this implementation, but I've not yet used
it.

> I have no experience with IPsec, but this sounded strange.  Can anyone
> confirm or deny this?  I can't understand why a Windows machine can plug
> into the net but that GNU/Linux doing Masquerading or using Squid can't do
> the same.  Could someone whack me with a clue bat?  TIA.

The problem is, as I said before, kernel 2.2 doesn't like to do NAT on IP
protocols other than TCP and UDP.

When the kernel does NAT, it translates the source address of the
connection to be that of the interface, and does the reverse when packets
come back through.  However, to be able to do that, the NAT subsystem
needs to be able to track the connection.

IP protocols 47 (GRE, used by PPTP), 50 (IPsec ESP), and 51 (IPsec AH) do
not carry this connection tracking information, therefore these
connections can not be forwarded automatically, like a POP3 connection
can.  You must basically do "port forwarding" on these alternate IP
protocols to get the packets to the correct host.

As to why Windows "just works" but Linux doesn't... Windows is build to
work only on way, so it's easy to get working "just right".  Linux has
more flexibility, therfore requires more work to get the details right.

HTH.

- -- 
- ----------------------------------------------------------------------
Phil Brutsche				    pbrutsch@tux.creighton.edu

GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE514Mm/ZTSZFDeHPwRAlYAAKC70vws3LkWP3dfhHjoYAYZdY7qBQCgkhzd
O697zWZ+lJBSh09LIXULUOg=
=Nw9h
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: IPsec and IPMasq/Proxy
  - From: George Bonser <george@shorelink.com>

References:
- IPsec and IPMasq/Proxy
  - From: Randy Edwards <redwards@golgotha.net>

Prev by Date: Re: firewall (fwd)
Next by Date: Re: Bitchx and screen do NOT cooperate in 2.2
Previous by thread: Re: IPsec and IPMasq/Proxy
Next by thread: Re: IPsec and IPMasq/Proxy
Index(es):
- Date
- Thread