[olug] Cisco IPSec vpn behind Linux 2.4 NAT box?
Nathan D. Rotschafer
nrotschafer at geniussystems.net
Thu Mar 31 06:45:38 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In order to support multiple clients behind the NAT then NAT-T is a
must...
Nate
Phil Brutsche wrote:
|Adam Haeder wrote:
|
|>Does anyone have experience connecting to a Cisco VPN that is on a
private
|>IP subnet behind a Linux box doing NAT? The Linux box is RedHat9
with the
|>2.4 kernel. If it's possible/easy, what would an iptables script
look like
|>to enable it? TIA
|
|
|I'll be up front: IPsec does *not* like going through NAT.
|
|You will need to forward IP protocols 50 and 51 in addition to UDP port
|500. ESP (IP proto 50) is probably OK but if you use AH (IP proto 51)
|it will not work - AH stands for authenticated headers, and the
|authentication breaks when it has to be sent through NAT.
|
|If you can, your pain will be greatly reduced by configuring the Cisco
|VPN stuff to do NAT-T.
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCS5yR6+7m4ujx2RURAtZIAJ9eOOcSLUlyNKL21vH1e3UbIHjIuwCaAv4o
Ct148jvt6ZYEHKRsn8r2L0M=
=/h8R
-----END PGP SIGNATURE-----
More information about the OLUG
mailing list