Help with Nortel IPsec on Redhat Linux 2.4.16 using iptables
Anoosh Atari
anoosh.atari@atl.sita.int
Fri, 11 Jan 2002 16:33:08 -0500
Please forgive me if this is a repeat topic, I have searched the net for over 30 hours and have found miss matched information on
how to connect a windows 2K via a Linux FW/GW on to my company's server using IPSEC etc...
I am finding confusing information pointing to MASQUERADING verses SNAT etc..., I can not get the Nortel to work from win2K going
through my Linux box, but it will work, if I connect my laptop to my DSL modem, bypassing the Linux FW box all together. My
research areas have been www.netfilter.org , www.involution.com , http://www.knowplace.org/netfilter/ and more.
I have the basic setup.
1. eth0 to WAN (DSL modem Static IP)
2. eth1 to LAN (192.168.x.x)
3. Linux redhat 7.1 Kernel 2.4.16
4. Iptables running with NAT and filter rules to let me run DNS, SMTP, WWW, etc...
To get Nortel IPSEC VPN working I have modified my rc.firewall to accept protocol 50, 51, open and forwarded the port 500 (UDP and
TCP). I have tried NATing everything form source of 57.x.x.x (my company server) to my 192.168.1.42 (my win2k), I have tried stuff
in preroute and postroute chains. Still not working. I have DNAT packets with -dport of 500 to my win2k and allowed forward rules
to let it go through. I have turned on logging on INPUT , NAT, OUTPUT chains and see that my laptop goes far enough to use udp port
500, but when it switches to ESP protocol it just times out. When running Nortel Windows program, My win2k gets as far as getting
enough information to setup its default route, and DNS but that is as far as it goes, I think, this is because of port 500 udp hand
shake stuff.
QUESTIONS I have are these.
1. Is it correct to do "iptables -A INPUT -p 50 -j ACCEPT" when the Linux box itself is not the peer for IPSEC, my understanding is
that INPUT chain is for local process filtering (e.g. packet ends up on the firewall itself). same for "iptables -A INPUT -p 51 -j
ACCEPT" and "iptables -A INPUT -i eth0 -p udp -dport 500 -j ACCEPT".
2. I know the other Peer's IP address, and I have tried doing a PREROUTE command to DNAT everything coming from source ip of
57.x.x.x to its new destination of 192.168.1.42. and have added FORWARD statements to allow it. Should this be enough?
3. Some articles on the net points to IPSEC not working with NAT if they use AH, how can I find that out, our Network people are no
help. All they tell you, is open your FIREWALL for udp port 500. I have a co-worker using linksys router/firewall/NAT and his
win2k is working fine, with NATed address. The difference is that I am using a Linux to do Fire walling.
4. Is VPN Masquerading required for this? Some article says yes, some say no if you are using only one PC.
5. Is VPN Masquerading enabled in Redhat 7.1 kernel 2.4.16 or it needs to be patched and re-compiled.
6. Another article says you must do "iptables -t nat POSTROUTING -o eth0 -j MASQUERADE", that should be the same as SNAT if you know
your static IP address, otherwise the NAT behavior should be the same?
What have I missed here?
Thanks
Alex@poptown.com
Sincerely
A. Atari, Senior Manager Global Messaging Services SITA
Work (770)850-5380, Fax (770)850-5390, Mobile (678)488-1952
3100 Cumberland Cir, Suite 200,
Atlanta, GA 30339 USA