tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
How to apply NAT before IPSec on outgoing packets
Hi,
we have a network setup where we have a NAT-router (running NetBSD 5.0-release)
communicating with a VPN gateway through IPSec-tunnel mode. The NAT-Router
should forward all packets from the internal network to the remote site.
We are currently experiencing problems with NAT in combination with IPsec.
Our setup:
Internal LAN <====> router <====> IPSec over public network <=> VPN-GW <=>
Corporate LAN
So far, the IPSec-tunnel comes up (using raccoon and tunnel mode), but the
problem is that our router also needs to do NAT on outgoing packets so that we
can allow the same IP addresses for internal LANs on several sites. Currently,
we use the external network interface for NAT.
We see problems when sending a packet from the internal LAN to the corporate
LAN: After NAT, the IPSec encryption needs to be applied on the source IP
addresses. The IPsec configuration currently is for the NATed network on the
local side, and everything (0.0.0.0) on the remote side.
Using tcpdump and code inspection, we found out that IPSec encryption is
applied before NAT, so in our case, no IPsec encryption is done at all (as we
only encrypt what comes from the NATed network), and the packets are sent
unencrypted after NAT was applied on them.
What we would need is to first get our source IP address go through NAT, and
then have IPsec processing applied.
We found an older posting
http://mail-index.netbsd.org/tech-net/2009/06/12/msg001385.html regarding the
same problem in the opposite direction. Therefore we expect that we also need
to patch the kernel sources in order to make our system apply NAT first and
IPSec after that on outgoing packets.
If anyone has a similar configuration running or can advise us where to look
inside the kernel sources to get this done, this would be much appreciated.
We're glad to provide more details if needed.
Please CC: me on replies as I'm not subscribed to this list (yet).
Thanks in advance!
- Daniel
A.P.E. GmbH
Hard- & Software Development
Daniel Zebralla
Galgenbergstraße 2a - Posthof
93053 Regensburg - Germany
Telefon +49 (941) 78385-460
Telefax +49 (941) 78385-150
D.Zebralla%ape-net.com@localhost
http://www.ape-net.com
_______________________________________
A.P.E. GmbH IT-Security
Sitz der Gesellschaft: Regensburg
Handelsregister: HRB 5953, Regensburg
Geschäftsführer: Dr. Dieter Steiner
Home |
Main Index |
Thread Index |
Old Index