#13 How to configure Transport mode between two gateways?

setkey
closed
nobody
5
2009-01-16
2005-02-10
LMCroisez
No

Hi!
I would like to configure two ipsec gateways in
transport mode:
Here is my config:

PCa(10.10.0.1/24) --- (10.10.0.2/24)GW(10.0.0.2/24)

(10.0.0.3/24)GWb(10.20.0.3/24) --- (10.20.0.4/24)PCb.

When PCa send a ping to PCb, the icmp packet is well
enciphered by GWa
(I see it in the tcpdump traces), but it is not deciphered
by GWb.
Instead, it is simply forwarded "as is" to PCb.

What could be the problem?
Is it actually impossible to configure a transport mode for
"transparent" gateways?
I mean as transparent gateways, linux-boxes that take
traffic from a
private lan and encrypt it before ip_forwarding it to the
internet.

Any help is welcome.

AdvTHANKSance

Discussion

  • Aidas Kasparas

    Aidas Kasparas - 2005-02-10

    Logged In: YES
    user_id=39627

    It is imposible to do that by definition! IPSec standard
    defines transport mode only for end-system to end-system
    case. If there are some gateway involved, you have to use
    tunnel mode.

    If you want GWb to decrypt transport mode IPSec packets,
    then the only case that I can thik of is use transport mode
    for GWa-GWb traffic. But then, you have to SNAT packets from
    PCa, optionaly DNAT packets to PCb to GWb or ask PCa to
    contact GWb which will DNAT some traffic to PCb. And I'm not
    sure that such setup will work at all, as IPSec and NAT
    sometimes produces mysterious results.

     
  • LMCroisez

    LMCroisez - 2005-02-11

    Logged In: YES
    user_id=1216741

    Thx for your comment monas.
    snat/dnat could fool GWb the way I want, but I think that
    modifying the ip packets will corrupt the crc computation?
    (= classical problem of the nat-traversal)
    What do you think ?

     
  • Aidas Kasparas

    Aidas Kasparas - 2005-02-12

    Logged In: YES
    user_id=39627

    I wrote about mysterious results.

    I'm confident, that if you do not explicitly exclude ESP
    (AH) packets from NAT'ing, you'll get corrupted port number
    on returning packets. This is caused by a bug in kernel.

    Knowing above I avoid having IPSec and NAT on single packet
    in my setups. Therefore, I do not know can these two be
    combined (and if they can't, for what reason and how to fix
    that).

    And BTW, why do you need so bizzare setup?

     
  • LMCroisez

    LMCroisez - 2005-02-13

    Logged In: YES
    user_id=1216741

    I don't know in fact if the version of ipsec which is native in
    Kernel 2.6.9 is capable of doing nat-traversal.

    Whatever, I will try your suggestion (snat, dnat).

     
  • Aidas Kasparas

    Aidas Kasparas - 2005-02-13

    Logged In: YES
    user_id=39627

    I'm sorry, I misunderstood your message.

    Nat-traversal is working ok. Therefore, if you have two options:
    1) PCa-to-PCb transport mode with gateways acting as dumb
    NAT devices (knows nothing about IPSec, except that they
    need to NAT udp/500, udp/4500, proto 50);
    2) transport between gateways and SNAT/DNAT mess.

    Then go for first option. You'll have much less troubles.
    And if you have some third option, could you please describe
    it in detail. Especially note limitations (kind of PCa do
    not support IPSec, or GWb is not under my control and
    requires A,B,C)

     
  • Timo Teras

    Timo Teras - 2009-01-16
    • status: open --> closed
     
  • Timo Teras

    Timo Teras - 2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks