Topic: I have to add a NAT in front of my sme!!

[Roger]

I have a 5.6b7 sme server-gateway with dynamic IP address. My daughter has a work Windows 98 with Cisco VPN client and I want to have her traffic transit the sme to an external Cisco VPN server. No fiddling with iptables or anything seems to help. The Cisco system also support NAT traversal, transparent tunneling, etc. All option have been tried. First level negotiation (UDP 500) go back and forth between the client and server and then quit. I think NAT is causing problems with IPSEC and the IP addresses The frustrating thing is that everything works going through a simple NAT/firewall when tested at a different location (and of course over a straight dial up internet connection).

I do not want to have to put a separate firewall in but it looks like I will have to unless someone can point me in the right direction.

Thanks,
Roger.

[Dan G.]

What "fiddling" with iptables have you done?  What measures did you take to handle protocols 50 & 51?

[Roger]

I have tried a number of things and have lost track of the exact order. (If you have suggestions on specifics I can try them). It appears that UDP:500 passes through no problem so I explicity allowed them but then took the extra commands out.

On the p 50/51 side I have only added commands for p 50. My understanding is that p 50 is ESH and p 51 AH and that AH has no hope of working over IPSEC. On the p 50 side most of the info suggested adding:
iptables -A INPUT -p 50 -j ACCEPT
iptables -A OUTPUT -p 50 -j ACCEPT. Which I did.

However since the sme is not the the source or destination of these packets I added:
iptables -A FORWARD -p 50 -j ACCEPT
to allow the packets to transit. These made no difference based on tcpdump/Ethereal at the client or ppp0 on the sme.

I also thought I would (as an experiment only) open things up a bit so I tried:
iptables -t nat -A PREROUTING -s -j DNAT --to

I also tried adding most of these commands to the front of the chains using -I instead.

This has almost convinced me that if I flushed all the firewall rules except MAQUERADE it would still not work and that it is the source address/port modifications that are doing it. Hopefuly I am wrong and some iptables configuration will work.

Any suggestion?
Roger.

Dan G. wrote:
>
> What "fiddling" with iptables have you done?  What measures
> did you take to handle protocols 50 & 51?

[Bob Todd]

uhm I aint no firewall expert but I'm certain I've come across many references that say that IPSEC will NOT work through NAT at all.

[Roger]

Generally true but the NAT Traveral stuff is supposed to work and it does through a 4 port Gnet firewall at a different location. NAT Traveral needs to be supported by both the client and server and it appears that it is for Cisco. But things are not working so I must have some theory wrong here.Bob Todd wrote:
>
> uhm I aint no firewall expert but I'm certain I've come
> across many references that say that IPSEC will NOT work
> through NAT at all.

[dave]

Roger,

It probably won't help you much but I have a work issued laptop that I take home with me and can connect via VPN to work when I need to.  The laptop run WinXP and SME is being used as my gateway/firewall.  I use PPPoE to connect to my ADSL ISP and I have a static IP as I have some web sites and email.  

The setup we use is by FiberLink (It's called the dialer?  It can be used to call a local number for modem connections - works with dialup and DSL) and the actual VPN Client is Cisco Sytems V3.6.

I've never had any problems connecting and I've made no customizations to my SME installation.  Let me know if there's any info I can give, if it will help.

Dave

[Roger]

Dave,

Thanks for your response. One important (for me) question is whether you are using the SME to NAT. If you have a static IP and only one computer on the internal side does anyone know if DHCP & NATing is still done automatically? Do you have other computers at home on a LAN that you plug your laptop into? What version of SME are you running? Is the FiberLink a software dialer that you run on your laptop? I am confused by that since I thought the VPN Client from Cisco did that.

Thanks again for your help,
Roger.dave wrote:
>
> Roger,
>
> It probably won't help you much but I have a work issued
> laptop that I take home with me and can connect via VPN to
> work when I need to.  The laptop run WinXP and SME is being
> used as my gateway/firewall.  I use PPPoE to connect to my
> ADSL ISP and I have a static IP as I have some web sites and
> email.
>
> The setup we use is by FiberLink (It's called the dialer?  It
> can be used to call a local number for modem connections -
> works with dialup and DSL) and the actual VPN Client is Cisco
> Sytems V3.6.
>
> I've never had any problems connecting and I've made no
> customizations to my SME installation.  Let me know if
> there's any info I can give, if it will help.
>
> Dave

[dave]

Roger,

Sorry for the delay in responding...  

SME is setup in server and gateway mode, it's external NIC is attached directly to the DSL modem.  It's a speedstream and it doesn't route, that's handled by SME.  The internal NIC is connected to a SOHO 8 port 10/100 switch.  I do have a small home network, including my test boxes, I have about 7 systems on it.  SME is the default gateway and handles NAT in my setup.  I'm running SME 5.5U2.  I have set the SME box up to be a standalone domain, it runs email and web server too.  DHCP services are disabled on the SME box.

I have an internal Win2K server providing DHCP, DNS, WINS and Domain Authentication services to the internal (it's a separate domain from the SME box) network.  DNS and WINS on the Win2K server deals with local name resolution as I'm running a mix of OS's on the local lan.  It also is the general shared file server.

To connect from home via VPN, I hook up to one of the ports on the switch (the work laptop has a built in NIC) and boot the laptop - it's running XP Pro.  I login to the laptop locally and it uses the 'cached' profile.  I pick this option because I don't want my home network DC security settings screwing anything up on my work PC.  After it boots up, I've checked the IP configuration, it acquires a local IP address assigned from my Win2K server, I can see the lease from the server.  My DHCP assigns local IP address, DNS, WINS and default gateway addys.  The default gateway is the SME box's internal IP address, same for all clients on the lan.

I open the dialer which (I think) handles verifying there's a connection to the internet available.  This can be used to open a dialup connection or to use an already established internet connection via ethernet.  This dialer app automatically launches the VPN software and requests the secure card numbers and etc.  Once I authenticate to the remote (work) network, the laptop's DNS and WINS settings change.  I dont remember if it changes the default router address, I dont' think it can since the SME box IS the local router.

Let me know if you have any more specific questions, I don't check this forum everyday feel free to email me directly if you want: dave@shipmanhome.net.