[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN client cannot connect through OpenBSD router/firewall



On Mon, 17 Jan 2005 22:38:05 +0100, Laurent Cheylus <[email protected]> wrote:
> Hi Rick,
> On Mon, Jan 17, 2005 at 12:06:54PM -0600, Rick Barter wrote:
> > Okay.  I have a problem that I can't get my brain around and I need
> > some help.  My wife needs to connect to her VPN at work.  I've
> > captured packets for her connection and see that it's connecting to
> > her work server on ports 53 (dns) and 500 (isakmp).
Are you sure about the port 53 part?
Normally UDP/53 would be used once to find the IP address of the VPN
gateway, then the connection is negotiated using IKE on UDP/500 (both
source and destination port are 500) then the actually VPN traffic
continues on IP Protocol 50 (ESP).  The client may later do further
handshaking on UDP/500 for rekey, etc.
Many headends enforce the requirement that incoming IKE packets have
both source and destination port of 500.  PAT will rewrite the source
port, causing the IKE packets from the internal client to be rejected
at the headend.
> > I thought that since she was initiating the connections to port 53 and
> > 500 that the keep state entries on the outbound tcp and udp traffic
> > would be enough to ensure she could connect and wouldn't require me to
> > set up NAT for these connections.  Am I wrong?  What am I missing here?
Correct.  There should not be a need for adding specific NAT policies
just for the VPN.  The existing NAT and keep state should suffice.
> According to your pf.conf, your TCP/UDP outbond connections are nated.
> 
> To use VPN IPsec client with a NAT gateway like yours, VPN client must
> use NAT-Traversal (ESP packets encapsulation in UDP packets on port
> 4500). And the IPsec gateway of your wife at work must also support
> NAT-Traversal.
Nat-Traversal is not absolutely required for a VPN session using ESP
in "Tunnel Mode" to succeed through a smart (static-port, IPSEC-aware)
NAT.   The core of the problem is that NAT breaks AH, will break ESP
in transport mode, and PAT can cause problems with IKE.