VPN access from behind a firewall?
Dan Cantor
(Contivity series). Anyway, I am at home, using a cable modem, and behind a
makeshift firewall I created using NAT. I've allowed all incoming and
outgoing packets of origin TCP, UDP, ICMP, IP, and PPTP on my firewall. As
you can see, I am not filtering ANY packets. Not much of a firewall, but
I'll lock it down later.
How can I get into work's network? I have version 2.0.56 of the extranet
access switch software, and the message I receive is that I cannot see the
host. All works well when I am not behind the firewall.
Any suggestions?
George Matey
>
> I'd like to get into our corporate network via the extranet switches
> (Contivity series). Anyway, I am at home, using a cable modem, and behind a
> makeshift firewall I created using NAT. I've allowed all incoming and
> outgoing packets of origin TCP, UDP, ICMP, IP, and PPTP on my firewall. As
> you can see, I am not filtering ANY packets. Not much of a firewall, but
Well, yes, it does sound like you're filtering some packets out,
(such as IPsec) but not many. What protocol has been configured
for the VPN? PPTP, IPsec?
Also, what type of firewall? Is it based off of Checkpoint, Linux
Firewall, or some other type?
> I'll lock it down later.
>
> How can I get into work's network? I have version 2.0.56 of the extranet
> access switch software, and the message I receive is that I cannot see the
> host. All works well when I am not behind the firewall.
>
> Any suggestions?
Step 1: Can you ping the switch from behind your firewall?
--
George
Robert Pluim
George> Dan Cantor wrote:
>>
>> I'd like to get into our corporate network via the extranet
>> switches (Contivity series). Anyway, I am at home, using a
>> cable modem, and behind a makeshift firewall I created using
>> NAT. I've allowed all incoming and outgoing packets of origin
NAT and IPSEC tend not to mix very well. What's doing the NAT here?
George> Step 1: Can you ping the switch from behind your firewall?
:-)
Step 2: what tunnel protocol are you using?
Robert
--
The above are my opinions.
Take them or leave them.
George Matey
>
> >>>>> "George" == George Matey <gma...@baynetworks.com> writes:
>
> George> Dan Cantor wrote:
> >>
> >> I'd like to get into our corporate network via the extranet
> >> switches (Contivity series). Anyway, I am at home, using a
> >> cable modem, and behind a makeshift firewall I created using
> >> NAT. I've allowed all incoming and outgoing packets of origin
>
> NAT and IPSEC tend not to mix very well. What's doing the NAT here?
>
client in IPsec ESP mode through my Instant Internet box, doing
NAT, every day).
Its NAT and IPsec AH, that don't get along.
--
George
Robert Pluim
>> NAT and IPSEC tend not to mix very well. What's doing the NAT
>> here?
>>
George> NAT and IPsec ESP can coexist quite nicely (I use the
George> Contivity client in IPsec ESP mode through my Instant
George> Internet box, doing NAT, every day).
George> Its NAT and IPsec AH, that don't get along.
OK, OK, I claim as defense that I said "tend" as opposed to "do". :-)
Pramod John
> >>>>> "George" == George Matey <gma...@baynetworks.com> writes:
>
> >> NAT and IPSEC tend not to mix very well. What's doing the NAT
> >> here?
> >>
> George> NAT and IPsec ESP can coexist quite nicely (I use the
> George> Contivity client in IPsec ESP mode through my Instant
> George> Internet box, doing NAT, every day).
>
> George> Its NAT and IPsec AH, that don't get along.
Actually NAT Only works with IPSEC in ESP mode if the number of
outbound connections is equal to the number of IP addresses you have
available. I.E. If your NAT device has only one public IP Address,
then it can only support one internal IPSec connection at a time.
I have seen problems with that too where you have multiple users
(not-simultaneously) connecting. Theoretically you should be able to
get AH working, but you would have to have the packet hash the IP
address of the external host rather than the internal private address.
Although this can be hacked in this way, it is not advisable. No
vendors IPSec implementations allow this, but if you really want to do
this check out the Frees/wan implementation for Linux as you could
modify the source code to do that. So in the cable modem case if you
only have one host then you should not have any problems at all. You
might want to check with your cable modem provider though as some
providers actually filter packets (read @home in Silcon Valley Area) so
they will need to allow UDP packets to port 500 and generic IP packets
that are of type ESP(50) and AH(51) . If you want to follow this issue
in more detail (NAT & IPsec) check out the IETF working group documents
for IPSec as this is one of the areas of concentration along with Policy
management for the next revision of the standard.
Pramod John
>
>
> OK, OK, I claim as defense that I said "tend" as opposed to "do". :-)
>
> Robert
> --
> The above are my opinions.
> Take them or leave them.
--
Dr. Pramod John, President
Oration - The New Voice in Networks
www.oration.com
Dan Cantor
(Contivity series). Anyway, I am at home, using a cable modem, and behind a
makeshift firewall I created using NAT. I've allowed all incoming and
you can see, I am not filtering ANY packets. Not much of a firewall, but
Dan Cantor
workstation running Winroute software. The packet filter I have set up is
to allow all of tcp/ip/udp/pptp/icmp both incoming and outgoing. I have
opened this up as much as possible. There are no other settings for any
other protocols (ipsec, etc.) What port does ipsec use?
I am able to ping out extranet switch at work with no problem, I just cannot
connect with the client. I only need one PC to connect to the VPN.
I have no idea what protocols they are using on the extranet switch, but I
think I'm using the 128-bit client. And I assume it's PPTP, but how can I
tell from the client end? A NOC adapter/protocol shows up on my Win98
network config.
-Dan
Pramod John <pra...@oration.com> wrote in message
news:36F6AFB4...@oration.com...
Pramod John
Dan Cantor wrote:
> I'd like to get into our corporate network via the extranet switches
> (Contivity series). Anyway, I am at home, using a cable modem, and behind a
> makeshift firewall I created using NAT.
Does your firewall do anything other than NAT (packet filtering,inspection ) If
not,
drop the firewall. NAT by itself does not offer you any security.
> I've allowed all incoming and
> outgoing packets of origin TCP, UDP, ICMP, IP, and PPTP on my firewall. As
> you can see, I am not filtering ANY packets. Not much of a firewall, but
> I'll lock it down later.
>
>
> How can I get into work's network? I have version 2.0.56 of the extranet
> access switch software, and the message I receive is that I cannot see the
> host. All works well when I am not behind the firewall.
>
> Any suggestions?
>
> Ping the host first from an unencrypted session
Pramod
Dan Cantor
service, you get one dhcp address, so I let my NAT box grab that one. I set
up NAT so my roomates can get to the net while I do.
Not sure what type of routers Time Warner uses, but I'd guess they are
motorola cable routers.
-Dan
Pramod John <pra...@oration.com> wrote in message
news:36F6CA64...@oration.com...
Jim Vincent
You can get the contivity to work behind a firewall. This involves simply
opening up the ports that the IPSEC traffic uses. However, the NAT piece
is not that trivial. Most NAT implementations can't translate the ESP
protocol that contains the tunnelled traffic. I'm not sure about PPTP. I
know that the Nortel Networks Nautica routers and Instant Internet boxes
can translate ESP but I'd bet that your firewall can't.
Since the firewall can't screen any encrypted traffic anyway, you are
better off just putting the Contivity in parallel with the firewall. It
will only accept secure tunnelled sessions so there is not security
degradation in this approach.
Jim
Dan Cantor <dca...@columbus.rr.com> wrote in article
<%TkJ2.803$NB5.2...@storm.twcol.com>...
> I'd like to get into our corporate network via the extranet switches
> (Contivity series). Anyway, I am at home, using a cable modem, and
behind a
> makeshift firewall I created using NAT. I've allowed all incoming and
George Matey
>
> Robert Pluim wrote:
>
> > >>>>> "George" == George Matey <gma...@baynetworks.com> writes:
> >
> > >> NAT and IPSEC tend not to mix very well. What's doing the NAT
> > >> here?
> > >>
> > George> NAT and IPsec ESP can coexist quite nicely (I use the
> > George> Contivity client in IPsec ESP mode through my Instant
> > George> Internet box, doing NAT, every day).
> >
> > George> Its NAT and IPsec AH, that don't get along.
>
> Actually NAT Only works with IPSEC in ESP mode if the number of
> outbound connections is equal to the number of IP addresses you have
> available. I.E. If your NAT device has only one public IP Address,
> then it can only support one internal IPSec connection at a time.
Not true. As Brett pointed out in another message, you can use the
SPI field to seperate simultaneous IPsec sessions through a device
doing NAT. Where it gets tricky is when you have two (or more)
users simultaneously establishing a session since the SPI is the
same until assigned by the destination. You can look at ISAKMP
information to differentiate the sessions.
This is not just speculation. I've personally tested some code
that does just that (simultaneous IPsec sessions through NAT and
simultaneous establishment of IPsec sessions through NAT). The
only wrinkle in the test was that I needed to access two different
Contivity switches as I only have one login-id.
> I have seen problems with that too where you have multiple users
> (not-simultaneously) connecting. Theoretically you should be able to
> get AH working, but you would have to have the packet hash the IP
> address of the external host rather than the internal private address.
> Although this can be hacked in this way, it is not advisable. No
> vendors IPSec implementations allow this, but if you really want to do
> this check out the Frees/wan implementation for Linux as you could
> modify the source code to do that. So in the cable modem case if you
> only have one host then you should not have any problems at all. You
> might want to check with your cable modem provider though as some
> providers actually filter packets (read @home in Silcon Valley Area) so
> they will need to allow UDP packets to port 500 and generic IP packets
> that are of type ESP(50) and AH(51) . If you want to follow this issue
> in more detail (NAT & IPsec) check out the IETF working group documents
> for IPSec as this is one of the areas of concentration along with Policy
> management for the next revision of the standard.
--
George
George Matey
[snip]
> IP Protocols 50 and 51. It is portless. Many default router configs
> (cisco) have problems with passing portless protocols even with no
> access lists configured. I don't know if that has been fixed in IOS
> release 11.2. So it may be related to such an issue. What you can
> do, if you MS SMS is install the network monitor and look for what
> packets are getting through to where. The Nortel IPsec client uses
> the Ipsec aggressive mode (3 packet exchange) for connecting. If you
> want an exact listing of the protocol and what the packet exchange is
> like, I would be glad to post it.
UDP source and destination port 500
>
>
> I am able to ping out extranet switch at work with no
> problem, I just cannot
> connect with the client. I only need one PC to connect to
> the VPN.
>
> I have no idea what protocols they are using on the extranet
> switch, but I
> think I'm using the 128-bit client. And I assume it's PPTP,
> but how can I
> tell from the client end? A NOC adapter/protocol shows up
> on my Win98
> network config.
>
> It maybe IPSec. Best way is to ask the CES admin what it is. PPTP
> is not the preferred way, our clients tell us that they are getting
> much better performance from the Nortel IPsec client than they do with
> MS PPTP client. The NOC adapter showing up indicates that you have
> the Nortel IPsec client installed on your win98 machine. Just try
> using Ipsec instead of PPTP.
Try looking at the "Security" field on the Contivity Client once its
established.
--
George
George Matey
>
[snip]
> Address that is making use of that port. This breaks everything except
> protocols 17 (UDP) and 6 (TCP). It is possible to implement to
> implement something similar by using the IPsec "Security Parameters
> Index" in the same manner as the TCP or UDP "port" is used. I've heard
> that someone has written a patch to the Linux NAT (IP Masquerading)
> code to do this, but I've haven't looked into it.
For a Linux patch check out: http://bruman.ne.mediaone.net/
Last I recall, this only patched Masquerading to allow one
IPsec client through.
George "still beating on his Instant Internet colleagues for
an embedded IPsec client" Matey
--
George
Brett Frankenberger
George Matey <gma...@baynetworks.com> wrote:
>
>NAT and IPsec ESP can coexist quite nicely (I use the Contivity
>client in IPsec ESP mode through my Instant Internet box, doing
>NAT, every day).
IPsec ESP is not fundamentally broken by NAT. That is, it will happily
tolerate having the source and/or destination IP addresses mangled by
NAT boxes. However, the NAT box has to support protocol 50:
There are at least two ways to do this:
1-to-1 NAT: In this case, the NAT box just blindly translates
addresses without having to look deeper into the frame. It can pass
any protocol that doesn't pass the IP address as layer 3 data (and even
some that do -- like FTP -- if the NAT box has code that recognizes
that specific protocol). Any 1-to-1 NAT box will pass IPsec ESP unless
it specicially filters protocol 50.
1-to-many-NAT with code to specifically handle IPsec: In the case of
one-to-many NAT, the NAT box translates one public address to many
private (internal) addresses. This means that when a frame is received
from the Internet, the box has to look at something other than the
destination IP address to figure out what to change the destination IP
address to. With TCP and UDP, this is done my looking at the port --
each port is recorded in a table along with the specific internal IP
Address that is making use of that port. This breaks everything except
protocols 17 (UDP) and 6 (TCP). It is possible to implement to
implement something similar by using the IPsec "Security Parameters
Index" in the same manner as the TCP or UDP "port" is used. I've heard
that someone has written a patch to the Linux NAT (IP Masquerading)
code to do this, but I've haven't looked into it.
As a practical matter, most current 1-to-1 NAT implementations will
handle IPsec ESP. Most 1-to-many NAT implementations will not.
Brett "one more reason why the whole concept of NAT is fundamentally
bad" Frankenberger
--
- Brett (bre...@netcom.com)
------------------------------------------------------------------------------
... Coming soon to a | Brett Frankenberger
.sig near you ... a Humorous Quote ... | bre...@netcom.com
Brett Frankenberger
Jim Vincent <jlvi...@NOSPAM.concentric.net> wrote:
>
> You can get the contivity to work behind a firewall. This involves simply
>opening up the ports that the IPSEC traffic uses. However, the NAT piece
>is not that trivial. Most NAT implementations can't translate the ESP
>protocol that contains the tunnelled traffic. I'm not sure about PPTP.
PPTP is based on GRE, protocl #47. Most one-to-many NATs can't handle
it either. Most one-to-one NATs can. In theory, you could hack a
one-to-many NAT to handle GRE also, although it's a bit harder because
it doesn't have something obvious to key off of, like the IPSec SPI.
(Allowing only one NAT'd user to connect to any given server would be
easy. Anything more complicated would be harder.)
Lewis Donzis
> George "still beating on his Instant Internet colleagues for
> an embedded IPsec client" Matey
We hear ya.
lew "still trying to wade through all of the IPsec RFCs"