VPN question

Hello,

Can multiple IPSEC VPN clients (road-warrior type & private IP addresses)
connect to a VPN server from behind a NAT firewall?

The reason I pose this is: We have a linux firewall (not VPN gateway). As
long as a private internal IP address is NAT'ed to a unique external
address on the outgoing interface of the firewall, things are normal.

But if more than one VPN client from the private network gets masqueraded
to the outgoing interface, authentication is not even possible. This is
observed from TCPdump. Reason:

Let the outgoing interface of the firewall be 28.29.30.31.
Let there be 2 VPN clients: 192.168.17.20 and 192.168.17.40.

Then the first client (say 192.168.17.20) which requests authentication
from the remote VPN server (there is no VPN gateway at our end), sends a
request from 192.168.17.20-port isakmp. The firewall on its behalf sends a
request from 28.29.30.31-port isakmp and the remote VPN server responds
correctly to 28.29.30.31-port isakmp and client is authenticated.

The 2nd client sends a request from 192.168.17.40-port isakmp. The
firewall cannot reuse port isakmp and instead sends a authentication
request from 28.29.30.31-port 12 (say). The remote VPN server INCORRECTLY
responds to 28.29.30.31-port isakmp where it should have responded to port
12 of our firewall !!! So the firewall passses on thepacket to the first
VPN client (which is already authenticated).

Is it part of VPN protocol for a VPN server to reply authentication
requests to port isakmp? Or is it a configuration issue for the remote VPN
server?

Regards,
TOny
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: VPN question

Looks like the linux kernel will have to be patched. ISAKMP (key-exchange)
protocol uses protocol 50 which is unsupported by the kernel.

On Wed, 22 Sep 2004,
Tony Gogoi wrote:

>
> Hello,
>
> Can multiple IPSEC VPN clients (road-warrior type & private IP addresses)
> connect to a VPN server from behind a NAT firewall?
>
> The reason I pose this is: We have a linux firewall (not VPN gateway). As
> long as a private internal IP address is NAT'ed to a unique external
> address on the outgoing interface of the firewall, things are normal.
>
> But if more than one VPN client from the private network gets masqueraded
> to the outgoing interface, authentication is not even possible. This is
> observed from TCPdump. Reason:
>
> Let the outgoing interface of the firewall be 28.29.30.31.
> Let there be 2 VPN clients: 192.168.17.20 and 192.168.17.40.
>
> Then the first client (say 192.168.17.20) which requests authentication
> from the remote VPN server (there is no VPN gateway at our end), sends a
> request from 192.168.17.20-port isakmp. The firewall on its behalf sends a
> request from 28.29.30.31-port isakmp and the remote VPN server responds
> correctly to 28.29.30.31-port isakmp and client is authenticated.
>
> The 2nd client sends a request from 192.168.17.40-port isakmp. The
> firewall cannot reuse port isakmp and instead sends a authentication
> request from 28.29.30.31-port 12 (say). The remote VPN server INCORRECTLY
> responds to 28.29.30.31-port isakmp where it should have responded to port
> 12 of our firewall !!! So the firewall passses on thepacket to the first
> VPN client (which is already authenticated).
>
> Is it part of VPN protocol for a VPN server to reply authentication
> requests to port isakmp? Or is it a configuration issue for the remote VPN
> server?
>
> Regards,
> TOny
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>



Tony Gogoi
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html