Home
Main website
Display Sidebar
Hide Ads
Recent Changes
View Source:
IPSecConfigurationNAT
Edit
PageHistory
Diff
Info
LikePages
!!Setting up IPSEC tunnelling over a NAT'd M1122 I have an [IPSec] gateway server (FreeSwan) running on a public IP address, and I want to make tunnels from machines that sit behind [ADSLModems] (in this case, a Nokia [M1122].) Thankfully, it was a bit easier to acheive than I thought it might be, and you don't have to worry about NatTraversal at all. This works because FreeSwan can identify its ends with the leftid= and rightid= parameters, without needing the IP address blocks to match. !Things to note If you have multiple networks that have the same numbering, you can't tunnel them all together to the same server - how would the server know which was which? Along with that, if you're using a network between a firewall and a DSL modem (the 192.x examples below), it will also have to have a unique IP address. This setup is designed to allow traffic between an internal mailserver and an external web site, for the purposes of [IMAP] mail. You can, however, modify it to suit. The entire internal network can still access the machine the tunnel ends on, and you also have to configure a tunnel between the __external__ IP of the firewall at the local site, or else the firewall can't access that machine (which makes using webmail internally a bit of a problem.) !Network Layout [[Hosting Server] - [[Hosting Firewall] <----> [[M1122] - [[Site Firewall] - [[Local Network] Imagine a (reasonably standard) layout: (External IP __M1122__ 192.168.1.254) - (192.168.1.250 __Firewall__ 10.7.1.254). The hosting server is 203.204.205.206. !!1. Configure the M1122 to enable ESP and ISAKMP passthrough to the internal (with some PinHoling): telnet router configure vcc1 ip server-napt esp 192.168.1.250 0 0 65535 esp-ipsec ip server-napt isakmp 192.168.1.250 500 500 1 udp quit save config startup logout !!2. Set up IPSEC connections !SERVER END conn site-hosting left= site-external-ip (203.x.x.x) leftsubnet= site-internal-net (10.7.1.0/24) leftnexthop= rightsubnet= hosting (203.204.205.206/32) auto= start also= site-hosting-keys conn sitefw-hosting left= site-external-ip (203.x.x.x) leftsubnet= external-ip-of-fw (192.168.1.250/32) leftnexthop= rightsubnet= hosting (203.204.205.206/32) auto= start also= site-hosting-keys conn site-hosting-keys leftrsasigkey= ... leftid= @firewall.site.co.nz right= hosting-firewall (203.204.205.1) rightnexthop= %defaultroute rightrsasigkey= ... rightid= @firewall.hosting.net.nz !M1122 END This end has to have some different IP addresses from the other end... conn site-hosting left= %defaultroute leftsubnet= site-internal-net (10.7.1.0/24) leftnexthop= rightsubnet= hosting (203.204.205.206/32) auto= add also= site-hosting-keys conn sitefw-hosting left= %defaultroute leftsubnet= external-ip-of-fw (192.168.x.250/32) leftnexthop= rightsubnet= hosting (203.204.205.206/32) auto= add also= site-hosting-keys conn site-hosting-keys leftrsasigkey= ... leftid= @firewall.site.co.nz right= hosting-firewall (203.204.205.1) rightnexthop= %defaultroute rightrsasigkey= ... rightid= @firewall.hosting.net.nz Comments welcomed. ---- I came to this page for confirmation of following assumption: leftsubnet might contain the leftnexthop and left.%%% e.g leftsubnet is 10.110.30.0/16 , leftnexthop is 10.110.30.1, left is 10.110.30.42 Haven't found a quick answer somwhere else so I did tests: Of course it does work.
One page links to
IPSecConfigurationNAT
:
IPSec
