[olug] Cisco IPSec vpn behind Linux 2.4 NAT box?

Phil Brutsche phil at brutsche.us
Wed Mar 30 21:41:05 UTC 2005


Adam Haeder wrote:
> Does anyone have experience connecting to a Cisco VPN that is on a private
> IP subnet behind a Linux box doing NAT? The Linux box is RedHat9 with the
> 2.4 kernel. If it's possible/easy, what would an iptables script look like
> to enable it? TIA

I'll be up front: IPsec does *not* like going through NAT.

You will need to forward IP protocols 50 and 51 in addition to UDP port
500.  ESP (IP proto 50) is probably OK but if you use AH (IP proto 51)
it will not work - AH stands for authenticated headers, and the
authentication breaks when it has to be sent through NAT.

If you can, your pain will be greatly reduced by configuring the Cisco
VPN stuff to do NAT-T.

-- 

Phil Brutsche
phil at brutsche.us



More information about the OLUG mailing list