From: SourceForge.net <no...@so...> - 2005-02-13 08:03:22
|
Support Requests item #1120423, was opened at 2005-02-10 23:46 Message generated for change (Comment added) made by croisez You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=1120423&group_id=74601 Category: Configuration Group: setkey Status: Open Priority: 5 Submitted By: LMCroisez (croisez) Assigned to: Nobody/Anonymous (nobody) Summary: How to configure Transport mode between two gateways? Initial Comment: Hi! I would like to configure two ipsec gateways in transport mode: Here is my config: PCa(10.10.0.1/24) --- (10.10.0.2/24)GW(10.0.0.2/24) ==== (10.0.0.3/24)GWb(10.20.0.3/24) --- (10.20.0.4/24)PCb. When PCa send a ping to PCb, the icmp packet is well enciphered by GWa (I see it in the tcpdump traces), but it is not deciphered by GWb. Instead, it is simply forwarded "as is" to PCb. What could be the problem? Is it actually impossible to configure a transport mode for "transparent" gateways? I mean as transparent gateways, linux-boxes that take traffic from a private lan and encrypt it before ip_forwarding it to the internet. Any help is welcome. AdvTHANKSance ---------------------------------------------------------------------- >Comment By: LMCroisez (croisez) Date: 2005-02-13 09:03 Message: Logged In: YES user_id=1216741 I don't know in fact if the version of ipsec which is native in Kernel 2.6.9 is capable of doing nat-traversal. Whatever, I will try your suggestion (snat, dnat). ---------------------------------------------------------------------- Comment By: Aidas Kasparas (monas) Date: 2005-02-12 13:16 Message: Logged In: YES user_id=39627 I wrote about mysterious results. I'm confident, that if you do not explicitly exclude ESP (AH) packets from NAT'ing, you'll get corrupted port number on returning packets. This is caused by a bug in kernel. Knowing above I avoid having IPSec and NAT on single packet in my setups. Therefore, I do not know can these two be combined (and if they can't, for what reason and how to fix that). And BTW, why do you need so bizzare setup? ---------------------------------------------------------------------- Comment By: LMCroisez (croisez) Date: 2005-02-11 23:14 Message: Logged In: YES user_id=1216741 Thx for your comment monas. snat/dnat could fool GWb the way I want, but I think that modifying the ip packets will corrupt the crc computation? (= classical problem of the nat-traversal) What do you think ? ---------------------------------------------------------------------- Comment By: Aidas Kasparas (monas) Date: 2005-02-11 00:22 Message: Logged In: YES user_id=39627 It is imposible to do that by definition! IPSec standard defines transport mode only for end-system to end-system case. If there are some gateway involved, you have to use tunnel mode. If you want GWb to decrypt transport mode IPSec packets, then the only case that I can thik of is use transport mode for GWa-GWb traffic. But then, you have to SNAT packets from PCa, optionaly DNAT packets to PCb to GWb or ask PCa to contact GWb which will DNAT some traffic to PCb. And I'm not sure that such setup will work at all, as IPSec and NAT sometimes produces mysterious results. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=1120423&group_id=74601 |