Darn. The need to use a VPN client ended my Linux firewalling days

[DeepSparklePupa]

For 3 months I've been using IPCHAINS to route traffic on my home network. But the need arose for me to install the FireBox Mobile VPN client one of my internal machines in order to do some "work". Though I could get what appeared to be a good connection to the host, try as I might I couldn't get the VPN to function properly. The admin of the host server said he believed his firewall was detecting my NAT, confusing it for a spoof, and shutting me down.

Unfortunately, it works fine if I take down the firewall and connect directly.

*sigh*

I feel like my manliness took a real hit, switching to ICS over IPCHAINS....

 

[spidey07]

yeah, unfortunately NAT breaks a VPN tunnel. Doesn't work mainly because the NAT is looking for some TCP/UDP information to handle the translation. Most vpns have no layer4 info and is just a layer3 tunnel.

With that being said there are ways around it. Can your VPN client/server add layer4 info to the tunnel allowing it to work with NAT? That's the most common way of dealing with this annoying problem.

SOHO routers sometimes have a "Nat passthru" where it will allow a tunnel and not try to nat on layer4.

good look

 

[Gantry]

IPCHAINS and IPTABLES can masq/nat VPN, though I have never done it. Here's a site with more info:

Linux VPN Masquerade

 

[mgpaulus]

Do you know what Protocol your VPN is using? If it's IPSEC, there are two types of IPSEC. One is Packet encrypting, which is "tunnellable". The other is header encryption, which is not Tunnellable. If you are using header encryption, then, you are screwed, because the header is created and stamped by the sending machine, (which has your local network ip, 192.x.x.x), and your NAT router can't mess with that, which breaks the NAT routing. Maybe you can talk to your admins and find out more info.

Our company (Worldcom, no snickers please....) uses Nortel's contivity product for it's VPN which uses IPSEC on the packet, and my Netgear RT311 router supports it.

 

[Garion]

Don't be too ashamed about using a Worldcom managed VPN - We do too. Got a couple of contivities to support what might be 20K users. Not terribly impressed with their servicees, but if functions.

We had problems with ours initiallly, with natting firewalls. We eventually turned on the UDP wrapper features within the VPN server, that redirects all traffic to a specific UDP port instead of using the ESP and IKE.

It turns out that IKE is a prolem child - It opens a connection FROM port 500 on your workstation TO port 500 on the server. It can't use any other ports. This is fine with ONE NAT user, but when you're forcing all traffic to/from a specific port, two users break it. Again. UDP wrappers did the trick.

- G