From: Wolfgang S. <wol...@di...> - 2011-11-08 20:02:32
|
Since the picture of my previous email below didn't come through very well, I am sending it again as a text file attachment. Regards Wolfgang -----Ursprüngliche Nachricht----- Von: Wolfgang Schmieder [mailto:wol...@di...] Gesendet: Dienstag, 8. November 2011 20:13 An: ips...@li... Betreff: [Ipsec-tools-devel] patch supporting several racoon VPN gatewaysbehind a natt router via different IP ports Dear ipsec-tool maintainers I'd like to introduce a patch which I needed for an actual usage scenario, which is that I do have 2 racoon VPN Gateways behind a NAT-T router, each being responsible for a VPN tunnel to a dedicate subnet. To use that feature, it is important to set the "unique" property in the security policies as shown in the example below. The change should be backward compatible/interoperable with ipsec-tools-0.8.0 The patch is based on a CVS trunk snapshot from last sunday evening: an...@an...:/cvsroot at 2011-11-06 22:00h MEZ plus my 4 previous patches p1-2011-11-06_rename_pfkey_to_racoon_pfkey.patch.tar.bz2 p2-p1_memory_leak_fixes_parser.patch.tar.bz2, p3-p2_individual_remote_natt_ports.patch.tar.bz2 and p4-p3_bugfixes_and_cleanup.patch.tar.bz2 Example: There is a subnet 192.168.90.0/24 with a racoon VPN Gateway 192.168.90.2 and another subnet 192.168.91.0/24 with a racoon VPN Gateway 192.168.91.2 behind a NAT router. A VPN tunnel to 192.168.90.2 is established via port/natt-port 590/4590 and a VPN tunnel 192.168.91.1 is established via port/natt-port 591/4591. There are 4 port forwardings in the NAT router to the corresponding racoon VPN Gateways. Both VPN Gateways are in passive mode and generate policies. There is another racoon VPN Client Gateway on network 192.168.80.0/24 on the other side of the tunnel, which will initiate the connection. port forwarding 590/4590 \ \ +-------------+ | racoon VPN | +-------------+ +-----------------+ +------------------+ +---+ 192.168.90.2| |racoon VPN | | router | | router | / +-------------+ |192.168.80.2 +-----+ <-192.168.80.1 | | 192.168.90.1-> +- +-------------+ | 172.16.80.1-> +----+ <-172.16.90.1 | \ +-------------+ +-----------------+ +------------------+ +---+ racoon VPN | | 192.168.91.2| / +-------------+ / port forwarding 591/4591 The security policies for the lef VPN Gateway 192.168.80.2 look as follows: # policies for 192.168.90.0/24 public endpoint 172.16.90.1[590] spdadd 192.168.80.0/24 192.168.90.0/24 any -P out ipsec esp/tunnel/192.168.80.2-172.16.90.1/unique:590; spdadd 192.168.90.0/24 192.168.80.0/24 any -P in ipsec esp/tunnel/172.16.90.1-192.168.80.2/unique:590; # policies for 192.168.91.0/24 public endpoint 172.16.90.1[591] spdadd 192.168.80.0/24 192.168.91.0/24 any -P out ipsec esp/tunnel/192.168.80.2-172.16.90.1/unique:591; spdadd 192.168.91.0/24 192.168.80.0/24 any -P in ipsec esp/tunnel/172.16.90.1-192.168.80.2/unique:591; 172.16.90.1 is representing the global internet IP address of the NAT router with the 2 networks 192.168.90.0/24 and 193.168.91.0/24 behind. (They are in fact privat IP addresses, but I used them to simulate the Internet in a test bed with multiple Virtual Machines on my PC). Now I must somehow tell the racoon client VPN Gateway that it should use port 590/4590 for the tunnel to remote network 192.168.90.0/24 and port 591/4591 for the tunnel to remote network 192.168.91.0/24. Therefore I introduced a configuration extension in cfparse.y/racoon.conf which looks as follows: remote 172.16.90.1 { ... ... destinations { 192.168.90.2/24 [590], [4590]; # [port], [natt port] 192.168.91.2/24 [591], [4591]; # [port], [natt port] } ... } listen { isakmp 192.168.80.2[590]; isakmp_natt 192.168.80.2[4590]; isakmp 192.168.80.2[591]; isakmp_natt 192.168.80.2[4591]; } With this extension I can tell racoon now which port to use for which remote subnet. Best regards Wolfgang P.S.: I see that there could be an enhancement of this destination feature in the future, so that racoon could optionally even generate the policies for the active peer of the tunnel. This would have an advantage that the user has only the racoon configuration file to setup a tunnel, and does not need to care about the setkey command for adding policies. |