Help with Nortel IPsec on Redhat Linux 2.4.16 using iptables

[Aldo S. Lagana]

Most likely it seems a NAT/MASQUERADING issue - is it that your Linux
box is a NAT server for incoming or outgoing connections?  If so, NATing
IPSec connections will cause issues in Authenticating packets since they
(the packets) are changed.  

From what I can gather, your Nortel is one IPSec endpoint and the client
w2k is the other IPSec endpoint:

W2k----Internet----Linux----Nortel-----Corp LAN

If the Linux Router NATs incoming IPSec connections, there will be
issues on the nortel as the packets have been changed since the w2k
client sent them out.  One option is to NOT NAT IPSec connections from
the w2k endpoint to the Nortel, but to just pass them on untouched,
something like:
iptables -I FORWARD -p 50 -d <NORTEL> -j ACCEPT
iptables -I FORWARD -p 51 -d <NORTEL> -j ACCEPT
iptables -I FORWARD -p udp -d <NORTEL> --dport 50 -j ACCEPT

By the way MASQUERADING is a Linux Firewall buzzword for a special case
of Source NAT (I think I stole those words from someone, but - what the
heck...) - when there is only one IP address to change the source
address into.  More generic SNAT allows one to NAT against a list of
<Public> addresses.

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Anoosh Atari
Sent: Friday, January 11, 2002 4:33 PM
To: netfilter@lists.samba.org
Subject: Help with Nortel IPsec on Redhat Linux 2.4.16 using iptables


Please forgive me if this is a repeat topic, I have searched the net for
over 30 hours and have found miss matched information on how to connect
a windows 2K via a Linux FW/GW on to my company's server using IPSEC
etc...

I am finding confusing information pointing to MASQUERADING verses SNAT
etc..., I can not get the Nortel to work from win2K going through my
Linux box, but it will work, if I connect my laptop to my DSL modem,
bypassing the Linux FW box all together.  My research areas have been
www.netfilter.org , www.involution.com ,
http://www.knowplace.org/netfilter/ and more.

 I have the basic setup.
1. eth0 to WAN (DSL modem Static IP)
2. eth1 to LAN (192.168.x.x)
3. Linux redhat 7.1 Kernel 2.4.16
4. Iptables running with NAT and filter rules to let me run DNS, SMTP,
WWW, etc...

To get Nortel IPSEC VPN working I have modified my rc.firewall to accept
protocol 50, 51, open and forwarded the port 500 (UDP and TCP).  I have
tried NATing everything form source of 57.x.x.x (my company server) to
my 192.168.1.42 (my win2k), I have tried stuff in preroute and postroute
chains.  Still not working.  I have DNAT packets with -dport of 500 to
my win2k and allowed forward rules to let it go through.  I have turned
on logging on INPUT , NAT, OUTPUT chains and see that my laptop goes far
enough to use udp port 500, but when it switches to ESP protocol it just
times out.  When running Nortel Windows program, My win2k gets as far as
getting enough information to setup its default route, and DNS but that
is as far as it goes, I think, this is because of port 500 udp hand
shake stuff.

QUESTIONS I have are these.
1. Is it correct to do "iptables -A INPUT -p 50 -j ACCEPT" when the
Linux box itself is not the peer for IPSEC, my understanding is that
INPUT chain is for local process filtering (e.g. packet ends up on the
firewall itself). same for "iptables -A INPUT -p 51 -j ACCEPT" and
"iptables -A INPUT -i eth0 -p udp -dport 500 -j ACCEPT".

2. I know the other Peer's IP address, and I have tried doing a PREROUTE
command to DNAT everything coming from source ip of 57.x.x.x to its new
destination of 192.168.1.42. and have added FORWARD statements to allow
it.  Should this be enough?

3. Some articles on the net points to IPSEC not working with NAT if they
use AH, how can I find that out, our Network people are no help.  All
they tell you, is open your FIREWALL for udp port 500.  I have a
co-worker using linksys router/firewall/NAT and his win2k is working
fine, with NATed address.  The difference is that I am using a Linux to
do Fire walling.

4. Is VPN Masquerading required for this?  Some article says yes, some
say no if you are using only one PC.

5. Is VPN Masquerading enabled in Redhat 7.1 kernel 2.4.16 or it needs
to be patched and re-compiled.

6. Another article says you must do "iptables -t nat POSTROUTING -o eth0
-j MASQUERADE", that should be the same as SNAT if you know your static
IP address, otherwise the NAT behavior should be the same?

What have I missed here?
Thanks
Alex@poptown.com



Sincerely
A. Atari, Senior Manager Global Messaging Services SITA
Work (770)850-5380, Fax (770)850-5390, Mobile (678)488-1952 3100
Cumberland Cir, Suite 200, Atlanta, GA 30339  USA