thr3ads.net - Shorewall users - RE: what is needed foripsecpass through withstaticnat (rfc1918 static nat to routable8ip subnet) [May 2004]

If this information is useful, please help other people find it:
Share via:

<Axel@congos-tools.com>

2004-May-07 21:39 UTC

RE: what is needed foripsecpass through withstaticnat (rfc1918 static nat to routable8ip subnet)

Hi there,

First of all, I am missing your IKE entries (UDP port 500).

Also, what kind of identification are you using (ADDRESS=IP, or
USER_FDQN, or FQDN) ? This should actually be defined by Acor. 

I honestly would believe you have no Firewall Problem but a typical
ISAKMP/IPSEC NAT/Identity, Compatibility problem

Axel Westerhold
DTS Systeme GmbH

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of
Andreas Bittner
Sent: Freitag, 7. Mai 2004 23:24
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] what is needed foripsecpass through
withstaticnat (rfc1918 static nat to routable8ip subnet)
> If both of your IPSEC endpoints support NAT traversal, the protocol
> 50/51 packets are encapsulated in UDP (default port is 4500). In that
> case, your rules would be:
i dont know about the capabilities on the other side, but the ipsec
client is a win2000 box with sp4. the ipsec provider is called arcor, a
telephone company in germany.

their host i am trying connect to is 21426.ipsec.arcor-ip.de., which
resolves to 2 ip addresses, 145.253.216.28 and 145.253.218.28

i have added the following lines to the rules file:


ACCEPT  net:145.253.216.28      loc:192.168.100.112 50
#ACCEPT  net:145.253.216.28      loc:192.168.100.112 51
ACCEPT  net:145.253.216.28      loc:192.168.100.112 udp 500,4500

ACCEPT  net:145.253.218.28      loc:192.168.100.112 50
#ACCEPT  net:145.253.218.28      loc:192.168.100.112 51
ACCEPT  net:145.253.218.28      loc:192.168.100.112 udp 500,4500

(disabled the protcol 51 as you said before)


the nated connections are as follow:

Proto NATed Address                            Foreign Address
State
raw   192.168.100.112:                         145.253.216.28:
UNREPLIED
udp   192.168.100.112:500                      145.253.216.28:500
ASSURED

(created by netstat-nat,
http://tweegy.demon.nl/projects/netstat-nat/index.html)

what i wonder about is this raw entry. there are no other NATed
connections. the .112 rcf1918 is another test box, which i mapped to
another external routable ip address in the nat file



123.123.123.125 eth0 192.168.100.112 No No

any hints?

now running shorewall 2.0.2-Beta2 ;)

thanks,
andy





_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Andreas Bittner

2004-May-07 21:50 UTC

head link

Re: what is neededforipsecpass through withstaticnat (rfc1918 static nat toroutable8ip subnet)

> First of all, I am missing your IKE entries (UDP port 500).
what do you mean, like i said earlier, i have the following lines in my
rules file

ACCEPT  net:145.253.216.28      loc:192.168.100.112 50
#ACCEPT  net:145.253.216.28      loc:192.168.100.112 51
ACCEPT  net:145.253.216.28      loc:192.168.100.112 udp 500,4500

ACCEPT  net:145.253.218.28      loc:192.168.100.112 50
#ACCEPT  net:145.253.218.28      loc:192.168.100.112 51
ACCEPT  net:145.253.218.28      loc:192.168.100.112 udp 500,4500

the loc zone is allowed to do everything towards the inet, and tom
advised me to add these entries, as it is also similar to the last table
on the bottom of the page http://www.shorewall.net/VPN.htm
> Also, what kind of identification are you using (ADDRESS=IP, or
> USER_FDQN, or FQDN) ? This should actually be defined by Acor.
this is a good question, since i am really not in charge of the whole
stuff with these ipsec tests, but i hear that arcor provides some
website, which generates some entries in the windows registry by
active-x/internetexplorer means or something, which set the policies and
stuff you refer to.

i dont think its fqdn or address/ip since this works all fine if i
connect the win2k box to the internet with simple dialup/modem/isdn. now
i am trying to access the ipsec servers of arcor from inside a small
company lan wich has those 8 official ip addresses as i described
before.

i am not much of an ipsec expert, but what identifiaction would you
think about in these scenarios? i heard something about preshared keys
or whatever, since this ipsec access is being used by some people
traveling/roadwarriors and we want to use it for remote access of
another company lan.

so its probably not something related to fqdn/ip-addresses since these
change all the time when i use modem/dialup/isdn or connect from
different places to the public inet, and then want to establish the
ipsec tunnel to arcor.

or what do you think?

thanks.
andy

Shorewall users - May 2004 - RE: what is needed foripsecpass through withstaticnat (rfc1918 static nat to routable8ip subnet)

RE: what is needed foripsecpass through withstaticnat (rfc1918 static nat to routable8ip subnet)

Re: what is neededforipsecpass through withstaticnat (rfc1918 static nat toroutable8ip subnet)