isakmpd + nat (Yes Again!)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

isakmpd + nat (Yes Again!)

Roy Morris-4
ok, I know I've seen this before but can't seem to find the link. I am
setting up a vpn using isakmpd and for the regular net to net stuff it
works fine. I am trying to use an alias ip on each gateway and nat to
the internal host. The isakmpd.conf would use phase one real-ip-1 and
use real-ip-2 (nat/binat)to the internal client.

Is this making sense? ..

I1 (172.30.1.2) -> GW1(10.0.1.1/24) -router - GW2(10.0.2.1/24)
I1------>NAT ----->10.0.1.2 x-router-x 10.0.2.2 NAT ->I2 (172.31.1.2)

pf.conf should? have
binat on enc0 from 172.30.1.2 to any ->10.0.1.2

and would also have /etc/hostname.xyz
inet alias 10.0.1.2

and the same stuff on the other end. Packet capture shows it using
the external interface with no nat to get out.

What am I doing wrong? - a link, doc or whack upside the head is
accepted!

thanks
Roy

Reply | Threaded
Open this post in threaded view
|

Re: isakmpd + nat (Yes Again!)

Matthew Closson
On Tue, 20 Jun 2006, Roy Morris wrote:

> ok, I know I've seen this before but can't seem to find the link. I am
> setting up a vpn using isakmpd and for the regular net to net stuff it
> works fine. I am trying to use an alias ip on each gateway and nat to
> the internal host. The isakmpd.conf would use phase one real-ip-1 and
> use real-ip-2 (nat/binat)to the internal client.
>
> Is this making sense? ..
>
> I1 (172.30.1.2) -> GW1(10.0.1.1/24) -router - GW2(10.0.2.1/24)
> I1------>NAT ----->10.0.1.2 x-router-x 10.0.2.2 NAT ->I2 (172.31.1.2)
>
> pf.conf should? have
> binat on enc0 from 172.30.1.2 to any ->10.0.1.2
>
> and would also have /etc/hostname.xyz
> inet alias 10.0.1.2
>
> and the same stuff on the other end. Packet capture shows it using
> the external interface with no nat to get out.
>
> What am I doing wrong? - a link, doc or whack upside the head is
> accepted!
>
> thanks
> Roy

Roy,

I tried for weeks to get this to work and eventually abandonned the idea
due to a deadline to just get it working.  I ended up sticking another
cheap box (P133) in front of the box doing IPSEC and performing NAT on
there.  Then I would create IP aliases on the NAT box as well as the IPSEC
box for those cases and that worked fine.

Problem is that the OpenBSD kernel does IPSEC flow processing before it
does NAT.  So if you try to do both on the same box your packets will
  not match your defined IPSEC SA because they have not yet been
NAT'd in which case they will just be dropped by the kernel.

This is from man ipsec:

-----------------------------------

NAT can also be applied to enc# interfaces, but special care should be
      taken because of the interactions between NAT and the IPsec flow
match-
      ing, especially on the packet output path.  Inside the TCP/IP stack,
      packets go through the following stages:

            UL/R -> [X] -> PF/NAT(enc0) -> IPsec -> PF/NAT(IF) -> IF
            UL/R <-------- PF/NAT(enc0) <- IPsec -> PF/NAT(IF) <- IF

      With IF being the real interface and UL/R the Upper Layer or Routing
      code.  The [X] stage on the output path represents the point where
the
      packet is matched against the IPsec flow database (SPD) to determine
if
      and how the packet has to be IPsec-processed.  If, at this point, it
is
      determined that the packet should be IPsec-processed, it is processed
by
      the PF/NAT code.  Unless PF drops the packet, it will then be
IPsec-pro-
      cessed, even if the packet has been modified by NAT.

---------------------------------------------

There are some older posts by Cedric that indicate at least on old
versions of OpenBSD/isakmpd you could manually add a fake flow to the SADB
using ipsecadm that basically said 170.30.1.2 -> other_side is a valid
IPSEC flow, that way the packet would be processed, then you could do NAT
on the enc0 interface and cause the source IP to be NAT'd and match the
real IPSEC flow.  However I never got this working and comments from the
original post made it seem to me that this does not work in the current
version of OpenBSD.  Good Luck!

  -Matt-

Reply | Threaded
Open this post in threaded view
|

Re: isakmpd + nat (Yes Again!)

Morris, Roy
In reply to this post by Roy Morris-4
> Roy,
>
> I tried for weeks to get this to work and eventually
> abandonned the idea
> due to a deadline to just get it working.  I ended up
> sticking another
> cheap box (P133) in front of the box doing IPSEC and
> performing NAT on
> there.  Then I would create IP aliases on the NAT box as well
> as the IPSEC
> box for those cases and that worked fine.
>
> Problem is that the OpenBSD kernel does IPSEC flow processing
> before it
> does NAT.  So if you try to do both on the same box your packets will
>   not match your defined IPSEC SA because they have not yet been
> NAT'd in which case they will just be dropped by the kernel.

Thanks for the reply Matt,

In the end I was ABLE to get it all working. I am just running it through
some tests now, but it seems fine.

Cheers!
roy