From: SourceForge.net <no...@so...> - 2009-01-16 11:05:39
|
Support Requests item #1120423, was opened at 2005-02-11 00:46 Message generated for change (Comment added) made by fabled80 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=1120423&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Configuration Group: setkey >Status: Closed Priority: 5 Private: No Submitted By: LMCroisez (croisez) Assigned to: Nobody/Anonymous (nobody) Summary: How to configure Transport mode between two gateways? Initial Comment: Hi! I would like to configure two ipsec gateways in transport mode: Here is my config: PCa(10.10.0.1/24) --- (10.10.0.2/24)GW(10.0.0.2/24) ==== (10.0.0.3/24)GWb(10.20.0.3/24) --- (10.20.0.4/24)PCb. When PCa send a ping to PCb, the icmp packet is well enciphered by GWa (I see it in the tcpdump traces), but it is not deciphered by GWb. Instead, it is simply forwarded "as is" to PCb. What could be the problem? Is it actually impossible to configure a transport mode for "transparent" gateways? I mean as transparent gateways, linux-boxes that take traffic from a private lan and encrypt it before ip_forwarding it to the internet. Any help is welcome. AdvTHANKSance ---------------------------------------------------------------------- Comment By: Timo Teräs (fabled80) Date: 2009-01-16 13:05 Message: Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you. ---------------------------------------------------------------------- Comment By: Aidas Kasparas (monas) Date: 2005-02-13 10:16 Message: Logged In: YES user_id=39627 I'm sorry, I misunderstood your message. Nat-traversal is working ok. Therefore, if you have two options: 1) PCa-to-PCb transport mode with gateways acting as dumb NAT devices (knows nothing about IPSec, except that they need to NAT udp/500, udp/4500, proto 50); 2) transport between gateways and SNAT/DNAT mess. Then go for first option. You'll have much less troubles. And if you have some third option, could you please describe it in detail. Especially note limitations (kind of PCa do not support IPSec, or GWb is not under my control and requires A,B,C) ---------------------------------------------------------------------- Comment By: LMCroisez (croisez) Date: 2005-02-13 10:03 Message: Logged In: YES user_id=1216741 I don't know in fact if the version of ipsec which is native in Kernel 2.6.9 is capable of doing nat-traversal. Whatever, I will try your suggestion (snat, dnat). ---------------------------------------------------------------------- Comment By: Aidas Kasparas (monas) Date: 2005-02-12 14:16 Message: Logged In: YES user_id=39627 I wrote about mysterious results. I'm confident, that if you do not explicitly exclude ESP (AH) packets from NAT'ing, you'll get corrupted port number on returning packets. This is caused by a bug in kernel. Knowing above I avoid having IPSec and NAT on single packet in my setups. Therefore, I do not know can these two be combined (and if they can't, for what reason and how to fix that). And BTW, why do you need so bizzare setup? ---------------------------------------------------------------------- Comment By: LMCroisez (croisez) Date: 2005-02-12 00:14 Message: Logged In: YES user_id=1216741 Thx for your comment monas. snat/dnat could fool GWb the way I want, but I think that modifying the ip packets will corrupt the crc computation? (= classical problem of the nat-traversal) What do you think ? ---------------------------------------------------------------------- Comment By: Aidas Kasparas (monas) Date: 2005-02-11 01:22 Message: Logged In: YES user_id=39627 It is imposible to do that by definition! IPSec standard defines transport mode only for end-system to end-system case. If there are some gateway involved, you have to use tunnel mode. If you want GWb to decrypt transport mode IPSec packets, then the only case that I can thik of is use transport mode for GWa-GWb traffic. But then, you have to SNAT packets from PCa, optionaly DNAT packets to PCb to GWb or ask PCa to contact GWb which will DNAT some traffic to PCb. And I'm not sure that such setup will work at all, as IPSec and NAT sometimes produces mysterious results. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=1120423&group_id=74601 |