I have Shorewall running as an office gateway performing NAT for local clients to access Internet. There is a policy allowing full access from loc -> net. Problem arrises when trying to connect a Cisco VPN client to a VPN server on the Internet from a local workstation. The cisco client log shows: Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end IS behind a NAT device If I bypass the Linux Shorewall gateway the connection works perfectly. This is the only type of connection to the Internet that seems to have any problems - www, https, ftp, MSN etc all connect no problem. I have tried to remove shorewall from the equation by doing the following with no luck. sudo shorewall clear sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.118.0/24 -j MASQUERADE I have searched high and low but have not been able to find anything that will help with this problem. Has anyone else had a similar experience? Can anyone point me in the right direction as this problem is completely beyond my knowledge and experience. Attached is the status.txt file as created by shorewall dump. For this example I attempted to connect between 192.168.118.118 and 203.110.142.69. If I have missed anything or you need further information please let me know. Thankyou in advance, Peter ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Peter Wilson wrote:> I have Shorewall running as an office gateway performing NAT for local clients to access Internet. > There is a policy allowing full access from loc -> net. > > Problem arrises when trying to connect a Cisco VPN client to a VPN server on the Internet from a > local workstation. > > The cisco client log shows: > > Automatic NAT Detection Status: > Remote end is NOT behind a NAT device > This end IS behind a NAT device > > If I bypass the Linux Shorewall gateway the connection works perfectly. > This is the only type of connection to the Internet that seems to have > any problems - www, https, ftp, MSN etc all connect no problem. > > I have tried to remove shorewall from the equation by doing the following with no luck. > sudo shorewall clear > sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.118.0/24 -j MASQUERADEThat eliminates Shorewall completely. And I don''t know of anything else on the Linux gateway that could cause a problem.> > I have searched high and low but have not been able to find anything that > will help with this problem. Has anyone else had a similar > experience?Afraid not -- my MS ipsec/l2tp client behind my firewall has always worked flawlessly.> Can anyone point me in the right direction as this problem is > completely beyond my knowledge and experience. > > Attached is the status.txt file as created by shorewall dump > For this example I attempted to connect between 192.168.118.118 > and 203.110.142.69. If I have missed anything or you need further > information please let me know.From the dump, you can see that the initial UDP 500 ISAKMP exchange worked correctly.> udp 17 171 src=192.168.118.118 dst=203.110.142.69 sport=500 > dport=500 packets=1 bytes=897 src=203.110.142.69 dst=203.110.148.145 > sport=500 dport=500 packets=5 bytes=1984 [ASSURED] mark=0 use=1The local client correctly detects NAT and attempts to use NAT-T:> udp 17 4 src=192.168.118.118 dst=203.110.142.69 sport=4500 > dport=4500 packets=5 bytes=582 [UNREPLIED] src=203.110.142.69 > dst=203.110.148.145 sport=4500 dport=4500 packets=0 bytes=0 mark=0 > > use=1But the server has not replied. My instinct is that the problem lies with your VPN configuration (probably on the server end -- is it configured for NAT-T? It must be). But that is only my instinct since I have not used the Cisco VPN client or server. Sorry I can''t be of more help. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Peter Wilson
2007-Apr-17 05:47 UTC
Re: IPSec Passthrough fails when using Cisco VPN client
Thanks for the reply Tom. Could it have anything to do with Shorewall 3.0 and Kernel 2.6 IPSEC as discussed on http://shorewall.net/IPSEC-2.6.html Shorewall is just a front end to netfilter isn''t it? could it be that my kernel (2.6.15-23-686) is source of the problem? Server side isn''t a problem as we have connected the same clients from a number of different NAT environments without a problem. Unfortunately this is the only gateway that has caused this behaviour. I also have 2 similarly configured linux gateways (with the same kernel version) that exhibit exactly the same behaviour. The idea is to eventually use these 2 boxes to create a HA gateway using heartbeat. -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net]On Behalf Of Tom Eastep Sent: Tuesday, 17 April 2007 2:17 PM To: Shorewall Users Subject: Re: [Shorewall-users] IPSec Passthrough fails when using Cisco VPN client Peter Wilson wrote:> I have Shorewall running as an office gateway performing NAT for local clients to access Internet. > There is a policy allowing full access from loc -> net. > > Problem arrises when trying to connect a Cisco VPN client to a VPN server on the Internet from a > local workstation. > > The cisco client log shows: > > Automatic NAT Detection Status: > Remote end is NOT behind a NAT device > This end IS behind a NAT device > > If I bypass the Linux Shorewall gateway the connection works perfectly. > This is the only type of connection to the Internet that seems to have > any problems - www, https, ftp, MSN etc all connect no problem. > > I have tried to remove shorewall from the equation by doing the following with no luck. > sudo shorewall clear > sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.118.0/24 -j MASQUERADEThat eliminates Shorewall completely. And I don''t know of anything else on the Linux gateway that could cause a problem.> > I have searched high and low but have not been able to find anything that > will help with this problem. Has anyone else had a similar > experience?Afraid not -- my MS ipsec/l2tp client behind my firewall has always worked flawlessly.> Can anyone point me in the right direction as this problem is > completely beyond my knowledge and experience. > > Attached is the status.txt file as created by shorewall dump > For this example I attempted to connect between 192.168.118.118 > and 203.110.142.69. If I have missed anything or you need further > information please let me know.>From the dump, you can see that the initial UDP 500 ISAKMP exchangeworked correctly.> udp 17 171 src=192.168.118.118 dst=203.110.142.69 sport=500 > dport=500 packets=1 bytes=897 src=203.110.142.69 dst=203.110.148.145 > sport=500 dport=500 packets=5 bytes=1984 [ASSURED] mark=0 use=1The local client correctly detects NAT and attempts to use NAT-T:> udp 17 4 src=192.168.118.118 dst=203.110.142.69 sport=4500 > dport=4500 packets=5 bytes=582 [UNREPLIED] src=203.110.142.69 > dst=203.110.148.145 sport=4500 dport=4500 packets=0 bytes=0 mark=0 > > use=1But the server has not replied. My instinct is that the problem lies with your VPN configuration (probably on the server end -- is it configured for NAT-T? It must be). But that is only my instinct since I have not used the Cisco VPN client or server. Sorry I can''t be of more help. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Peter Wilson wrote:> Thanks for the reply Tom. > > Could it have anything to do with Shorewall 3.0 and Kernel > 2.6 IPSEC as discussed on http://shorewall.net/IPSEC-2.6.htmlNot unless you have configured IPSEC policies on the firewall system. All the firewall system should see is UDP packets that are destined for another system.> > Shorewall is just a front end to netfilter isn''t it? > could it be that my kernel (2.6.15-23-686) is source of the problem? >That''s a possibility, I suppose. That is a fairly old kernel, as kernels go (so is your Shorewall -- it is about to go into the ''unsupported'' catagory). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Benito Venegas
2007-Apr-17 23:37 UTC
Re: IPSec Passthrough fails when using Cisco VPNclient
Peter: We had to deal with this some weeks ago. I think the only part you have missed is the NAT. Cisco VPN requires the desktop has a valid IP. So just create a NAT, and you''ll be OK. If you still has problems, don''t hesitate to contact me and we can do some test together. Cheers, -- Vene.- -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Peter Wilson Sent: Monday, April 16, 2007 10:21 PM To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] IPSec Passthrough fails when using Cisco VPNclient I have Shorewall running as an office gateway performing NAT for local clients to access Internet. There is a policy allowing full access from loc -> net. Problem arrises when trying to connect a Cisco VPN client to a VPN server on the Internet from a local workstation. The cisco client log shows: Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end IS behind a NAT device If I bypass the Linux Shorewall gateway the connection works perfectly. This is the only type of connection to the Internet that seems to have any problems - www, https, ftp, MSN etc all connect no problem. I have tried to remove shorewall from the equation by doing the following with no luck. sudo shorewall clear sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.118.0/24 -j MASQUERADE I have searched high and low but have not been able to find anything that will help with this problem. Has anyone else had a similar experience? Can anyone point me in the right direction as this problem is completely beyond my knowledge and experience. Attached is the status.txt file as created by shorewall dump. For this example I attempted to connect between 192.168.118.118 and 203.110.142.69. If I have missed anything or you need further information please let me know. Thankyou in advance, Peter ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs Email Security System. BlackList requests should be sent to blacklist@securities.com, WhiteList requests should be sent to whitelist@securities.com. Contact the Global Operations Team (help@securities.com) if you need additional support. ________________________________________________________________________ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/