OpenBSD + IPNAT + VPN - HELP!....

Jurgen Kobierczynski plug-discuss@lists.PLUG.phoenix.az.us
Mon, 30 Jul 2001 17:39:56 +0200 

There is no NAT support for the ESP packets as far as I know it. IPSec was
not designed for use within a NAT/Masquerading, but I know that Linux
IPTables has a VPN-Masquerading feature, check the VPN-Masuerading for Linux
for more details on these issues with VPN Masquerading. There is the problem
that the SPI assignment to hosts is encypted, so the firewall can only
assign these connections a best as possible by "capturing" the creating of
each connection. Also key renewal change SPI numbers, so it won't work
perfectly.

,but this isn't possible in IPF (jet?), as I know, but a simple redirection
of the ESP packets to one particular host should be possible. (Not tried
jet, btw)

Also, I know from my latest setup that there was a virtual interface "enc0"
defined, and that I had to define rules for it.

Jurgen

-----Original Message-----
From: Furmanek, Greg [mailto:Greg.Furmanek@hit.cendant.com]
Sent: maandag 30 juli 2001 16:46
To: PLUG (E-mail); IP Filter Mail List (E-mail); 'misc@openbsd.org'
Subject: RE: OpenBSD + IPNAT + VPN - HELP!....


Can anyone Help with this one.

I have looked online for somre info but
it seams that everything I have tried did not
work.  

Why "esp" is not forwarded?

Any suggestions would be appreciated.

Greg


> -----Original Message-----
> From: Greg [mailto:codewolf@earthlink.net]
> Sent: Saturday, July 28, 2001 4:55 PM
> To: misc@openbsd.org
> Subject: Fw: OpenBSD + IPNAT + VPN - HELP!....
> 
> 
> Hi everyone....
> 
> I am trying to setup VPN connection from Windows (Nortel 
> Client) through
> OpenBSD (NAT/IPF) to Nortel.
> 
> It seems that I get the ISAKMP to negotiate just fine but
> when it comes to the tunnel it is a differnt story:
> 
> This is my setup:
> 
> | WIN  Client |-----------|Open  BSD |-----------| Nortel |
> 
> 
> xl0 - external
> xl1 - internal
> x.x.x.x - Nortel
> y.y.y.y  - ip on xl0
> z.z.z.z - ip on host with the client
> k.k.k.k - ip on xl1 - gateway
> ipf.rules
> =========
> # for esp protocol   -  I have not specify the protocol since 
> I allow all
> from this specific host
> pass in quick on xl0 from x.x.x.x/32 to y.y.y.y/32
> pass out quick on xl0 from y.y.y.y/32 to x.x.x.x/32
> pass in quick on xl1 from any to x.x.x.x/32
> pass out quick on xl1 from x.x.x.x/32 to any
> 
> #---------------------      UDP ISAKMP KEY
> OTIATION    ----------------------
> pass in quick on xl1 proto udp from z.z.z.z port = 500 to 
> x.x.x.x/32 port =
> 500 keep state
> 
> ipnat.rules
> ===========
> bimap xl0 y.y.y.y/32 -> x.x.x.x/32
> 
> External Interface TCPDUMP
> 07:43:27.549341 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange INFO
> cookie: 706c21ba7b23ffee->bc913c8656d13c01 msgid: 00000000 len: 40
> 07:43:27.550407 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 
> exchange AGGRESSIVE
> cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 324
> 07:43:27.705309 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange INFO
> cookie: 706c21ba7b23ffee->285de1c413970480 msgid: 00000000 len: 40
> 07:43:27.738159 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 
> exchange AGGRESSIVE
> cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 284
> 07:43:28.193897 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 
> exchange AGGRESSIVE
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 232
> 07:43:28.229533 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 
> exchange AGGRESSIVE
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 52
> 07:43:28.452708 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 
> exchange unknown
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 124
> 07:43:28.453900 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 
> exchange unknown
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 76
> 07:43:28.583195 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 
> exchange QUICK_MODE
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 580
> 07:43:28.648425 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 
> exchange QUICK_MODE
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 292
> 07:43:28.756717 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 
> exchange QUICK_MODE
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 52
> 
> 
> INTERNAL INTERFACE TCPDUMP
> 07:43:27.463431 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 
> exchange AGGRESSIVE
> cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 316
> 07:43:27.549484 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange INFO
> cookie: 706c21ba7b23ffee->bc913c8656d13c01 msgid: 00000000 len: 40
> 07:43:27.550272 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 
> exchange AGGRESSIVE
> cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 324
> 07:43:27.705446 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange INFO
> cookie: 706c21ba7b23ffee->285de1c413970480 msgid: 00000000 len: 40
> 07:43:27.738025 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 
> exchange AGGRESSIVE
> cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 284
> 07:43:28.194061 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 
> exchange AGGRESSIVE
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 232
> 07:43:28.229392 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 
> exchange AGGRESSIVE
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 52
> 07:43:28.452855 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 
> exchange unknown
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 124
> 07:43:28.453769 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 
> exchange unknown
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 76
> 07:43:28.583338 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 
> exchange QUICK_MODE
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 580
> 07:43:28.648283 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 
> exchange QUICK_MODE
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 292
> 07:43:28.756855 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 
> exchange QUICK_MODE
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 52
> 
> 07:43:28.759525 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 1 len 84
> 07:43:28.759747 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> 07:43:29.716258 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 2 len 60
> 07:43:29.716470 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> 07:43:30.390774 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 3 len 116
> 07:43:30.391030 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> 07:43:30.391077 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 4 len 124
> 07:43:30.391097 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 5 len 116
> 07:43:30.391283 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> 07:43:30.391457 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> 


"The sender believes that this E-mail and any attachments were free of any
virus, worm, Trojan horse, and/or malicious code when sent.  This message
and its attachments could have been infected during transmission.  By
reading the message and opening any attachments, the recipient accepts full
responsibility for taking protective and remedial action about viruses and
other defects.  The sender's employer is not liable for any loss or damage
arising in any way from this message or its attachments."