Linux IPTABLES and IPSec pass-through

[Karl Keyte]

Anyone know if any of the newer Linux kernels have support for NATted IPSec
pass-through? Basically, I run a NATted private network behind a Linux
firewall. I now want clients on the private network to be able to connect to
IPSec VPN servers outside of the firewall. I need at least two clients
connecting, though they will connect to different VPN servers.

Any suggestion as to how best do this? I think I need some kind of IPSec
connection-tracking in the kernel, as well as the correct iptables entries.

Thanks,

Karl

[Cedric Blancher]

Dans sa prose, Karl Keyte (ka...@removethis.koft.com) nous ecrivait :

> Anyone know if any of the newer Linux kernels have support for NATted IPSec
> pass-through? Basically, I run a NATted private network behind a Linux
> firewall. I now want clients on the private network to be able to connect to
> IPSec VPN servers outside of the firewall. I need at least two clients
> connecting, though they will connect to different VPN servers.

It is possible with following limitations :

. You can't use AH as it authenticates the whole IP paquets,
which header is altered by NAT
. You can't use ESP transport mode for TCP as TCP checksum
relies on IP addresses, altered by NAT (so TCP checksum
fails after ESP decryption).

You can set up one internal server by simply redirecting UDP 500, AH and
ESP to this box. You can set up as many clients as you want as your NAT
layer is able to NAT any layer 4 protocol, which, afaik, is true for
Netfilter newnat stuff (use patch-o-matic). Just set up outgoing SNAT on
UDP 500, AH and ESP.

You can also use AH/ESP tracking patch from iptables patch-o-matic to
achieve some debugging.

--
> J'veux un trombone pour sendmail !
Hum ... pauvre trombonne, avec ca, il va faire un brain overflow...
-+- NLS in GFA : Pitié pour les trombonnes ! -+-