Shorewall users - Oct 2002 - L2TP/IPSec VPN behind NAT

Has anyone out there gotten a Microsoft L2TP/IPSec VPN to work behind 
NAT or Proxy ARP? After last Thursday''s PPTP vulnerability disclosure, 
we shut down PPTP and have been trying to get this set up. I''ve read 
the material that''s out there about using IPSec over
NAT--we''re not
using AH, for instance--but I haven''t been able to find anything 
specifically about configuring MS''s VPN server to work through NAT.
Our configuration is similar to that at http://shorewall.net/VPN.htm,
except that it''s the VPN server that has an RFC1918 address.

I''m forwarding proto 50 (ESP) and 500/udp (IKE) to our internal VPN 
server; the entries in /etc/shorewall/rules are:

#ACTION  SOURCE DEST                    PROTO   DEST    SOURCE     ORIGINAL
#                                               PORT    PORT(S)    DEST
DNAT    pub     cx:192.168.1.14         udp     500     -       192.168.3.1
DNAT    pub     cx:192.168.1.14         50      -       -       192.168.3.1

(I''m testing this out from a VPN client on 192.168.3.0/24; if it works,
I''ll switch it over to the net interface.)

It seems to get through the key exchange part of the connection okay
(although I confess that I''m not an IPSec expert--I don''t know
what
a good IKE looks like in tcpdump), but when the client starts sending ESP 
packets, they never get anything back. The tcpdump from the client 
interface looks like this:

12:48:34.625840 192.168.3.70.isakmp > 192.168.3.1.isakmp: isakmp: phase 1 I
ident: [|sa]
12:48:34.775315 192.168.3.1.isakmp > 192.168.3.70.isakmp: isakmp: phase 1 R
ident: [|sa]
12:48:34.831432 192.168.3.70.isakmp > 192.168.3.1.isakmp: isakmp: phase 1 I
ident: [|ke]
12:48:34.887254 192.168.3.1.isakmp > 192.168.3.70.isakmp: isakmp: phase 1 R
ident: [|ke]
12:48:34.917583 192.168.3.70.isakmp > 192.168.3.1.isakmp: isakmp: phase 1 I
ident[E]: [|id] (frag 7144:1480@0+)
12:48:34.917914 192.168.3.70 > 192.168.3.1: (frag 7144:492@1480)
12:48:34.947351 192.168.3.1.isakmp > 192.168.3.70.isakmp: isakmp: phase 1 R
ident[E]: [|id] (frag 5350:1480@0+)
12:48:34.948192 192.168.3.1 > 192.168.3.70: (frag 5350:300@1480)
12:48:34.953656 192.168.3.70.isakmp > 192.168.3.1.isakmp: isakmp: phase
2/others I oakley-quick[E]: [|hash]
12:48:34.960005 192.168.3.1.isakmp > 192.168.3.70.isakmp: isakmp: phase
2/others R oakley-quick[EC]: [|hash]
12:48:34.960875 192.168.3.70.isakmp > 192.168.3.1.isakmp: isakmp: phase
2/others I oakley-quick[EC]: [|hash]
12:48:34.963324 192.168.3.1.isakmp > 192.168.3.70.isakmp: isakmp: phase
2/others R oakley-quick[EC]: [|hash]
12:48:34.965405 192.168.3.70 > 192.168.3.1: ESP(spi=0x367a7e74,seq=0x1)
12:48:35.965814 192.168.3.70 > 192.168.3.1: ESP(spi=0x367a7e74,seq=0x2)
12:48:37.968814 192.168.3.70 > 192.168.3.1: ESP(spi=0x367a7e74,seq=0x3)
12:48:41.974787 192.168.3.70 > 192.168.3.1: ESP(spi=0x367a7e74,seq=0x4)
12:48:49.976733 192.168.3.70 > 192.168.3.1: ESP(spi=0x367a7e74,seq=0x5)
12:48:59.981674 192.168.3.70 > 192.168.3.1: ESP(spi=0x367a7e74,seq=0x6)
12:49:09.989409 192.168.3.70.isakmp > 192.168.3.1.isakmp: isakmp: phase
2/others I inf[E]: [|hash]
12:49:09.996821 192.168.3.70.isakmp > 192.168.3.1.isakmp: isakmp: phase
2/others I inf[E]: [|hash]
12:49:09.997900 192.168.3.1.isakmp > 192.168.3.70.isakmp: isakmp: phase
2/others R inf[E]: [|hash]

Running Microsoft''s IPSec Monitor on the VPN server shows the
connection,
then six 
packets with bad SPIs (one for each ESP packet sent by the client), then
drops the connection.

Any ideas/suggestions? I''m going to try to Proxy ARP the VPN server,
rather than NATting it; I''ll let you know if that works.

  - Bradey

Bradey, have you had any more success with this?  Anyone else?

We haven''t tried this, yet, either, but plan to get a test setup, next
week.

Just a couple of quick thoughts:
 - Do you need to load another kernel module for this?  (I noticed two 
netfilter modules, ipt_esp.o and ipt_ah.o, but am not sure if they are 
just so you can match packets or if they function as a protocol helper....)
 - Are there newer releases of iptables and/or the netfilter modules 
than what you are running?

Thanks,
Brian

Bradey Honsinger wrote:
>Has anyone out there gotten a Microsoft L2TP/IPSec VPN to work behind 
>NAT or Proxy ARP? After last Thursday''s PPTP vulnerability
disclosure,
>we shut down PPTP and have been trying to get this set up. I''ve
read
>the material that''s out there about using IPSec over
NAT--we''re not
>using AH, for instance--but I haven''t been able to find anything 
>specifically about configuring MS''s VPN server to work through NAT.
>Our configuration is similar to that at http://shorewall.net/VPN.htm,
>except that it''s the VPN server that has an RFC1918 address.
>
>I''m forwarding proto 50 (ESP) and 500/udp (IKE) to our internal VPN
>server; the entries in /etc/shorewall/rules are:
>
>#ACTION  SOURCE DEST                    PROTO   DEST    SOURCE     ORIGINAL
>#                                               PORT    PORT(S)    DEST
>DNAT    pub     cx:192.168.1.14         udp     500     -       192.168.3.1
>DNAT    pub     cx:192.168.1.14         50      -       -       192.168.3.1
>
>(I''m testing this out from a VPN client on 192.168.3.0/24; if it
works,
>I''ll switch it over to the net interface.)
>
>It seems to get through the key exchange part of the connection okay
>(although I confess that I''m not an IPSec expert--I don''t
know what
>a good IKE looks like in tcpdump), but when the client starts sending ESP 
>packets, they never get anything back. The tcpdump from the client 
>interface looks like this:
>
>12:48:34.625840 192.168.3.70.isakmp > 192.168.3.1.isakmp: isakmp: phase 1
I
>ident: [|sa]
>12:48:34.775315 192.168.3.1.isakmp > 192.168.3.70.isakmp: isakmp: phase 1
R
>ident: [|sa]
>12:48:34.831432 192.168.3.70.isakmp > 192.168.3.1.isakmp: isakmp: phase 1
I
>ident: [|ke]
>12:48:34.887254 192.168.3.1.isakmp > 192.168.3.70.isakmp: isakmp: phase 1
R
>ident: [|ke]
>12:48:34.917583 192.168.3.70.isakmp > 192.168.3.1.isakmp: isakmp: phase 1
I
>ident[E]: [|id] (frag 7144:1480@0+)
>12:48:34.917914 192.168.3.70 > 192.168.3.1: (frag 7144:492@1480)
>12:48:34.947351 192.168.3.1.isakmp > 192.168.3.70.isakmp: isakmp: phase 1
R
>ident[E]: [|id] (frag 5350:1480@0+)
>12:48:34.948192 192.168.3.1 > 192.168.3.70: (frag 5350:300@1480)
>12:48:34.953656 192.168.3.70.isakmp > 192.168.3.1.isakmp: isakmp: phase
>2/others I oakley-quick[E]: [|hash]
>12:48:34.960005 192.168.3.1.isakmp > 192.168.3.70.isakmp: isakmp: phase
>2/others R oakley-quick[EC]: [|hash]
>12:48:34.960875 192.168.3.70.isakmp > 192.168.3.1.isakmp: isakmp: phase
>2/others I oakley-quick[EC]: [|hash]
>12:48:34.963324 192.168.3.1.isakmp > 192.168.3.70.isakmp: isakmp: phase
>2/others R oakley-quick[EC]: [|hash]
>12:48:34.965405 192.168.3.70 > 192.168.3.1: ESP(spi=0x367a7e74,seq=0x1)
>12:48:35.965814 192.168.3.70 > 192.168.3.1: ESP(spi=0x367a7e74,seq=0x2)
>12:48:37.968814 192.168.3.70 > 192.168.3.1: ESP(spi=0x367a7e74,seq=0x3)
>12:48:41.974787 192.168.3.70 > 192.168.3.1: ESP(spi=0x367a7e74,seq=0x4)
>12:48:49.976733 192.168.3.70 > 192.168.3.1: ESP(spi=0x367a7e74,seq=0x5)
>12:48:59.981674 192.168.3.70 > 192.168.3.1: ESP(spi=0x367a7e74,seq=0x6)
>12:49:09.989409 192.168.3.70.isakmp > 192.168.3.1.isakmp: isakmp: phase
>2/others I inf[E]: [|hash]
>12:49:09.996821 192.168.3.70.isakmp > 192.168.3.1.isakmp: isakmp: phase
>2/others I inf[E]: [|hash]
>12:49:09.997900 192.168.3.1.isakmp > 192.168.3.70.isakmp: isakmp: phase
>2/others R inf[E]: [|hash]
>
>Running Microsoft''s IPSec Monitor on the VPN server shows the
connection,
>then six 
>packets with bad SPIs (one for each ESP packet sent by the client), then
>drops the connection.
>
>Any ideas/suggestions? I''m going to try to Proxy ARP the VPN
server,
>rather than NATting it; I''ll let you know if that works.
>
>  - Bradey
>_______________________________________________
>Shorewall-users mailing list
>Shorewall-users@shorewall.net
>http://www.shorewall.net/mailman/listinfo/shorewall-users
>