Shorewall users - May 2004 - what is needed for ipsec pass through with static nat (rfc1918 static nat to routable 8ip subnet)

hello there,

i found the
http://www.shorewall.net/VPN.htm

that talks a little about ipsec.

i have a routable 8ip subnet. the linux router runs shorewall-1.3.8-1,
suse 8.2, has one of the 8 official ip addresses as eth0
for example 123.123.123.123

i have added one rfc1918 ip on the internal loc/lan (eth1) to the nat
file

which maps 192.168.100.106 to one of the 8 external official routable ip
addresses. its _not_ the same ip address as the linux router has as its
eth0 external interface.

123.123.123.124 eth0 192.168.100.106 No No


i have the policy that lan is allowed to to everything on the inet zone.

loc net acceppt

now i thought, when doing static nat, i dont need these entries about
protocol 50 and so forth for ipsec pass through or am i mistaken here?
since the 106 box has its own official ip address, and all traffic
(ipsec to) should actually just be "routed" through the firewall box.

where is my mistake?

i thought ipsec was just packing, encrypting and forwarding mostly udp
packets over the net, so what about this protocol 50 and such things
that i read in some places. maybe i dont really understand the whole
situation yet.


the ipsec client (.106 local lan box) is some win2k professional
machine, that wants to do ipsec with the built in win2k ipsec client, to
some external commercial provider running some sort of ipsec servers.

the problem with the provider is, that they have dns based ipsec
servers, so the ips could actually change or are multiple, so i think it
wouldnt be too good if i had to use those entries described in the table
1. on the vpn page http://www.shorewall.net/VPN.htm

any hints or ideads about the best solution?

thanks,
andy

Andreas Bittner wrote:
> hello there,
> 
> i found the
> http://www.shorewall.net/VPN.htm
> 
> that talks a little about ipsec.
> 
> i have a routable 8ip subnet. the linux router runs shorewall-1.3.8-1,
> suse 8.2, has one of the 8 official ip addresses as eth0
> for example 123.123.123.123
I''m sorry -- Shorewall 1.3 is no longer supported and I''m not
answering
questions concerning its use.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> I''m sorry -- Shorewall 1.3 is no longer supported and I''m
not
answering
> questions concerning its use.
;)

no problem, but i really wonder about the basics of ipsec, and thats
what i was actually asking. i dont see any big changes regarding the nat
behaviour of shorewall 1.x and 2.x so anyways, i was rather asking why
doesnt simply all the traffic go through shorewall when i nat one
external routable ip address to exactly one internal rfc1918 address.

and i thought ipsec was only normal tcp/ip/udp activity with a few tcp
and udp ports, nothing more. but maybe i am wrong.

any pointers?

thanks,
andy

Andreas Bittner wrote:
>>I''m sorry -- Shorewall 1.3 is no longer supported and
I''m not
> 
> answering
> 
>>questions concerning its use.
> 
> 
> ;)
> 
> no problem, but i really wonder about the basics of ipsec, and thats
> what i was actually asking. i dont see any big changes regarding the nat
> behaviour of shorewall 1.x and 2.x so anyways, i was rather asking why
> doesnt simply all the traffic go through shorewall when i nat one
> external routable ip address to exactly one internal rfc1918 address.
> 
> and i thought ipsec was only normal tcp/ip/udp activity with a few tcp
> and udp ports, nothing more. but maybe i am wrong.
You still need to allow the inbound traffic from the remote gateway -- 
rather than DNAT rules, you need ACCEPT rules.

ACCEPT	net:<other endpoint>	loc:<local ip>	udp	500
ACCEPT	net:<other endpoint>	loc:<local ip>	50
ACCEPT	net:<other endpoint>	loc:<local ip>	51

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> ACCEPT net:<other endpoint> loc:<local ip> udp 500
> ACCEPT net:<other endpoint> loc:<local ip> 50
> ACCEPT net:<other endpoint> loc:<local ip> 51
thank you for your help tom, i really appreciate that, i think i need to
take a look at these 50 and 51 protcols and how that all works together.

i was already on the right track kind of, looking at your documentation
about dnat, public ips and vpn/ipsec passthrough.

will upgrade shorewall to 2.x i guess ;)

thanks again,
andy

Andreas Bittner wrote:
>>ACCEPT net:<other endpoint> loc:<local ip> udp 500
>>ACCEPT net:<other endpoint> loc:<local ip> 50
>>ACCEPT net:<other endpoint> loc:<local ip> 51
> 
> 
> thank you for your help tom, i really appreciate that, i think i need to
> take a look at these 50 and 51 protcols and how that all works together.
> 
Acutally, with One-to-one NAT (formerly called "Static NAT" in the 
documentation), protocol 51 (AH) cannot be used. Authentication Header 
packets include a cryptographic checksum whose calculation includes the 
source and destination IP addresses in the IP header. Hence, if either 
address is rewritten in transit, the receiving IPSEC code will discard 
the packet.

In short -- the third rule above is unnecessary since protocol 51 can''t
be used with any kind of NAT.

If both of your IPSEC endpoints support NAT traversal, the protocol 
50/51 packets are encapsulated in UDP (default port is 4500). In that 
case, your rules would be:

ACCEPT net:<other endpoint> loc:<local ip> udp 500,4500

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> If both of your IPSEC endpoints support NAT traversal, the protocol
> 50/51 packets are encapsulated in UDP (default port is 4500). In that
> case, your rules would be:
i dont know about the capabilities on the other side, but the ipsec
client is a win2000 box with sp4. the ipsec provider is called arcor, a
telephone company in germany.

their host i am trying connect to is 21426.ipsec.arcor-ip.de., which
resolves to 2 ip addresses, 145.253.216.28 and 145.253.218.28

i have added the following lines to the rules file:


ACCEPT  net:145.253.216.28      loc:192.168.100.112 50
#ACCEPT  net:145.253.216.28      loc:192.168.100.112 51
ACCEPT  net:145.253.216.28      loc:192.168.100.112 udp 500,4500

ACCEPT  net:145.253.218.28      loc:192.168.100.112 50
#ACCEPT  net:145.253.218.28      loc:192.168.100.112 51
ACCEPT  net:145.253.218.28      loc:192.168.100.112 udp 500,4500

(disabled the protcol 51 as you said before)


the nated connections are as follow:

Proto NATed Address                            Foreign Address
State
raw   192.168.100.112:                         145.253.216.28:
UNREPLIED
udp   192.168.100.112:500                      145.253.216.28:500
ASSURED

(created by netstat-nat,
http://tweegy.demon.nl/projects/netstat-nat/index.html)

what i wonder about is this raw entry. there are no other NATed
connections. the .112 rcf1918 is another test box, which i mapped to
another external routable ip address in the nat file



123.123.123.125 eth0 192.168.100.112 No No

any hints?

now running shorewall 2.0.2-Beta2 ;)

thanks,
andy

Andreas Bittner wrote:

> 
> (created by netstat-nat,
> http://tweegy.demon.nl/projects/netstat-nat/index.html)
> 
> what i wonder about is this raw entry. there are no other NATed
> connections. the .112 rcf1918 is another test box, which i mapped to
> another external routable ip address in the nat file
If you want me to look at connection information, please forward the 
output of "shorewall show connections"

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net