Hi all,

My question: Is it possible to set up an IPSEC/ESP tunnel between a
NATed computer and a public computer?

The background: I want to be able to give people access to our LAN
from the internet, in such a way that they appear to be a true part of
the LAN. Of course, I want this to be as secure as possible. For this
reason, I want to set up a VPN between the computer 'joining' our LAN
and my LAN's gateway.

My difficulty with the docs I found is this: all of them assume a
setup like:

======= ESP =======
| |
Network-A Gateway-A Gateway-B Network-B
10.0.1.0/24 ---- 172.16.0.1 ------ 172.16.0.2 ---- 10.0.2.0/24

In this setup, the tunnel is set up between hosts that can directly
communicate with each other. I want a setup like this:

=============== ESP =================
| |
Host-A Gateway-A Gateway-B Network-B
10.0.1.1/32 ---- 172.16.0.1 ------ 172.16.0.2 ---- 10.0.2.0/24

Where Gateway-A NATs the network behind it.

I hope someone will tell me this is possible!

My gateway is running Gentoo Linux (what else) and has ipsec-tools
installed. I can already use IPSEC in transport mode between my own PC
(also on Gentoo) and the gateway, using public/private key
authentication.

Greetings,
Sybren
--
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself?

sybren@sybren.thirdtower.com wrote:
> Hi all,
>
> My question: Is it possible to set up an IPSEC/ESP tunnel between a
> NATed computer and a public computer?

Yes, as long as you allow IPsec passthrough (port 1723).
Most routers allow this, so you can simply initiate the connection from
inside the NATted network.

> The background: I want to be able to give people access to our LAN
> from the internet, in such a way that they appear to be a true part of
> the LAN. Of course, I want this to be as secure as possible. For this
> reason, I want to set up a VPN between the computer 'joining' our LAN
> and my LAN's gateway.

But your LAN gateway is not NAted on the outside, is it ?
It is, in fact, the computer doing the NATting.

> My difficulty with the docs I found is this: all of them assume a
> setup like:
>
> ======= ESP =======
> | |
> Network-A Gateway-A Gateway-B Network-B
> 10.0.1.0/24 ---- 172.16.0.1 ------ 172.16.0.2 ---- 10.0.2.0/24

Yes, which is what you have, too - if you stop to think about it for a
minute.

> In this setup, the tunnel is set up between hosts that can directly
> communicate with each other. I want a setup like this:
>
> =============== ESP =================
> | |
> Host-A Gateway-A Gateway-B Network-B
> 10.0.1.1/32 ---- 172.16.0.1 ------ 172.16.0.2 ---- 10.0.2.0/24
>
> Where Gateway-A NATs the network behind it.

Yeeessss... and is also the endpoint for the tunnel.
Since you want to put the remote PC on the LAN, what is wrong with this
setup?
WHY does it have to be to an internal PC ?

Or, even better - why do you not clearly state which you want ?
It's passthrough one minute, and GW - GW the next...

--
J

Where does the shit go ?

Jeroen Geilman enlightened us with:
> Yes, as long as you allow IPsec passthrough (port 1723).

That's PPTP, which has various issues. I don't want to use that.

> But your LAN gateway is not NAted on the outside, is it ?

No it isn't.

> It is, in fact, the computer doing the NATting.

Yes, but not in the way I ment. Here is the situation, using the real
IP addresses instead of some fictional ones:

LAN A: the remote LAN
Box A: the NATed computer that I want to join in our LAN
Gateway A: the server doing the NATting of Box A
Gateway B: my LAN server, doing the NATting for my LAN
Box B: my home PC, part of our LAN
LAN B: my home LAN


LAN A : 192.168.0.0/24
/--- Box A ---\ /----- GW A ----\
| 192.168.0.1 | --- | 192.168.0.129 |
\-------------/ | | |
| 80.126.96.52 |
\---------------/
|
internet
|
/----- GW B -----\
| 80.126.213.162 |
/--- Box B ---\ | | |
| 10.0.0.2 | --- | 10.0.0.1 |
\-------------/ \----------------/
LAN B : 10.0.0.0/24

I want to create a VPN connection from Box A to GW B, so that Box A
can have a 10.0.1.0/24 address, for instance.

Of course, I could create a VPN between GW A and GW B, but that would
mean I'd give entire LAN A a tunnel to LAN B, which is something I do
not want.

> Since you want to put the remote PC on the LAN, what is wrong with
> this setup? WHY does it have to be to an internal PC ?

It has to be because it is. I want to have a setup where I can set up
a VPN connection to my LAN from a remote box, no matter if it's NATted
or not.

Sybren
--
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself?

So anyway, it was like, 21:27 CEST Oct 14 2004, you know? Oh, and, yeah,
Sybren Stuvel was all like, "Dude,

> LAN A : 192.168.0.0/24
> /--- Box A ---\ /----- GW A ----\
>| 192.168.0.1 | --- | 192.168.0.129 |
> \-------------/ | | |
> | 80.126.96.52 |
> \---------------/
> |
> internet
> |
> /----- GW B -----\
> | 80.126.213.162 |
> /--- Box B ---\ | | |
>| 10.0.0.2 | --- | 10.0.0.1 |
> \-------------/ \----------------/
> LAN B : 10.0.0.0/24
>
> I want to create a VPN connection from Box A to GW B, so that Box A
> can have a 10.0.1.0/24 address, for instance.
>
> Of course, I could create a VPN between GW A and GW B, but that
> would mean I'd give entire LAN A a tunnel to LAN B, which is
> something I do not want.

Unless you have additonal hosts behind your gateway, you could just
let is nat the outgoing ipsec traffic (as it will, if you just let it
out) and tell the other endpoint ("gw b") to talk to your "gw a". You
might have to set up port forwarding in the reverse direction.

Another option would be to define the encryption domain for your end
of the tunnel to be only the single host, and let the gateways sort
it out. You'd still only be building a tunnel with the single host
having access, but the vpn would be "properly" set up between the two
gateways.

hth.

--
Time flies like an arrow, fruit flies like a banana. Perth ---> *
21:46:29 up 37 days, 7:13, 11 users, load average: 0.01, 0.02, 0.00
Linux 2.6.8 x86_64 GNU/Linux Registered Linux user #261729

Johan Lindquist enlightened us with:
> Unless you have additonal hosts behind your gateway

I have, on both gateways.

> Another option would be to define the encryption domain for your end
> of the tunnel to be only the single host, and let the gateways sort
> it out. You'd still only be building a tunnel with the single host
> having access, but the vpn would be "properly" set up between the
> two gateways.

Well, that's not a configuration I can use. You see, I want people to
be able to VPN with me, even if they are behind a stupidly cheapass
NAT router that doesn't understand IPsec or any other VPN.

Sybren
--
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself?

So anyway, it was like, 07:54 CEST Oct 15 2004, you know? Oh, and, yeah,
Sybren Stuvel was all like, "Dude,
> Johan Lindquist enlightened us with:

>> Unless you have additonal hosts behind your gateway
>
> I have, on both gateways.

...that needs to do VPN. You /will/ have to do some sort of nat and
port forward combination if you're not going to use the router as the
endpoint, and if you have more than one private address on your end
that needs to interact with the world by means of VPN, I don't think
you'll be able to make it happen.

At least not given your constraint to communicate with stupid routers
that probably won't be able to use another port beside the default one
for the encrypted traffic.

>> Another option would be to define the encryption domain for your
>> end of the tunnel to be only the single host, and let the gateways
>> sort it out. You'd still only be building a tunnel with the single
>> host having access, but the vpn would be "properly" set up between
>> the two gateways.
>
> Well, that's not a configuration I can use. You see, I want people
> to be able to VPN with me, even if they are behind a stupidly
> cheapass NAT router that doesn't understand IPsec or any other VPN.

I believe you might be in for more of a challenge than you expect.
It's not all that guaranteed that those stupid routers will be able to
port forward the ipsec traffic in the first place.

In my experience, it's difficult enough to get two supposedly
intelligent hosts talking ipsec to each other, without having to
account for additional nat along the way.

Maybe there's some sort of generic VPN setup one can use, similar to
whatever it is that ms is using for their ad-hoc encryption setups,
but you seemed adverse to such measures as PPTP as well.

--
Time flies like an arrow, fruit flies like a banana. Perth ---> *
08:19:26 up 37 days, 17:47, 12 users, load average: 1.46, 1.51, 0.95
Linux 2.6.8 x86_64 GNU/Linux Registered Linux user #261729

Johan Lindquist enlightened us with:
> ..that needs to do VPN. You /will/ have to do some sort of nat and
> port forward combination if you're not going to use the router as
> the endpoint, and if you have more than one private address on your
> end that needs to interact with the world by means of VPN, I don't
> think you'll be able to make it happen.

That's no worry then - only one end of the VPN will have a private
address.

> I believe you might be in for more of a challenge than you expect.
> It's not all that guaranteed that those stupid routers will be able
> to port forward the ipsec traffic in the first place.

True. I think I'll need to up the requirements a bit then, and expect
the routers can do proper port forwarding.

Sybren
--
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself?