[ previous ] [ next ] [ threads ]
 
 From:  Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Cisco VPN Client behind m0n0wall
 Date:  Thu, 18 Nov 2004 23:59:29 +0100
The common problem with IPsec on UDP-500 is the source port.
As client and server communicate to each other using UDP-500 you cannot
natively run two VPNs simultaneously over a single IP address as NAT
does (masquerading).

The Cisco solution to this, beside NAT-T is IPsec over TCP-10000
(another port can be used but 10000 is the default).
With this feature enabled the source port is randomly assigned in the
high port range and does not undergo the limitation of NAT.

It is also provide a faster tunnel setup compared to NAT-T as it does
not have to probe for a port or to negotiate it.

Otherwise, depending on what your doing on VPN, you could use SSL
tunnels (Web-VPN in the Cisco world).

Daniele


On Thu, 2004-11-18 at 19:58, Josh McAllister wrote:
> The ideal solution would be if m0n0 supported port triggers or
> "application helpers" ... IE, m0n0 sees a connection from inside to
> outside (port x) and responds by opening port y and NATing it to the
> original inside host. It then tracks the outbound connection and removes
> the inbound NAT/fw rule when the outbound connection closes.
> 
> Linksys (and others I'm sure) do this.
> 
> It can also be done with Linux, and if you have the appropriate
> conntrack module you can even allow multiple inside hosts to access such
> an application simultaneously. It's quite likely there is something
> comparable for FreeBSD, but I don't know enough about FreeBSD to be
> sure.
> 
> How hard would it be to implement these "application helpers" into M0n0?
> Or perhaps the better question... how likely is it that this will be
> done?
> 
> Josh McAllister
> 
> -----Original Message-----
> From: Jake S [mailto:jake at agatestreet dot com] 
> Sent: Thursday, November 18, 2004 8:49 AM
> To: 'Tom Obermayr'; m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Cisco VPN Client behind m0n0wall
> 
> Tom,
> Glad it works.  Those commands also work on a Cisco PIX firewall using
> access lists but you need to do it on both interfaces.  I believe that
> is
> because ESP and ISAKAMP are not trackable protocols like say... FTP
> 
> As far as a kernel module (like ftp-control and ftp-data) I don't think
> one
> exists yet for this application or at least I have not found one for
> Linux
> anyways.
> 
> Anyone else know of one?
> 
> Thank you,
> Jake 
> 
> 
> -----Original Message-----
> From: Tom Obermayr [mailto:to at bla dot net] 
> Sent: Thursday, November 18, 2004 7:43 AM
> To: Jake S; 'Jake S'; m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Cisco VPN Client behind m0n0wall
> 
> Jake,
> 
> thanks, that actually works (at least as a temporary workaround). What I
> 
> had to do is allow ESP in, allow dest port 500/UDP in, and do inbound
> NAT 
> for port 500/UDP to my internal system.
> 
> Of course this only works for a single internal IP address, but at least
> it 
> allows me to access the VPN concentrator for now.
> 
> Again for all on the list: I can't turn on tunneling on the
> concentrator, 
> that's why I was looking for some kind of intelligent solution
> (something 
> like the ftp module comes to mind).
> 
> tom.
> 
> At 04:34 PM 11/18/2004, Jake S wrote:
> >You will also need the following too:
> >
> >concentrator IP/src port 500udp to your IP/dst port 500udp and vise
> versa
> >(also known as ISAKAMP)
> >
> >I believe that the VPN client uses ISAKAMP for phase I keying and then
> ESP
> >for phase II xauth.
> >
> >Thank you,
> >Jake
> >
> >-----Original Message-----
> >From: Jake S [mailto:jake at agatestreet dot com]
> >Sent: Thursday, November 18, 2004 7:21 AM
> >To: 'Tom Obermayr'; m0n0wall at lists dot m0n0 dot ch
> >Subject: RE: [m0n0wall] Cisco VPN Client behind m0n0wall
> >
> >I see.
> >
> >Perhaps you could open up the following rule on your mono box:
> >
> >concentrator IP to your IP and vise versa.  Use the protocol ESP for
> this.
> >
> >
> >Thank you,
> >Jake
> >
> >-----Original Message-----
> >From: Tom Obermayr [mailto:to at bla dot net]
> >Sent: Thursday, November 18, 2004 7:16 AM
> >To: Jake S; m0n0wall at lists dot m0n0 dot ch
> >Subject: RE: [m0n0wall] Cisco VPN Client behind m0n0wall
> >
> >I have no control over that Concentrator whatsoever, which is the
> reason
> >why I'm asking. the others are fine, but the one apparently doesn't
> have
> >that setting for whatever reason, and I have no chance of changing
> that.
> >
> >tom.
> >
> >At 04:12 PM 11/18/2004, Jake S wrote:
> > >Or you could turn on NAT traversal (NAT-T) on your concentrator which
> would
> > >encapsulate IPSec traffic on UDP 4500 outbound.
> > >
> > >
> > >
> > >Thank you,
> > >Jake Seitz
> > >
> > >
> > >-----Original Message-----
> > >From: Tom Obermayr [mailto:to at bla dot net]
> > >Sent: Thursday, November 18, 2004 7:05 AM
> > >To: m0n0wall at lists dot m0n0 dot ch
> > >Subject: [m0n0wall] Cisco VPN Client behind m0n0wall
> > >
> > >hi,
> > >
> > >I do have a problem with a client system using Cisco VPN client
> behind
> > >m0n0wall. Apparently there are different settings on the Cisco
> Concentrator
> > >that change the way the VPN connection is established.
> > >
> > >I have 3 different VPN entries in the Cisco client, two of which work
> just
> > >fine behind m0n0wall, whereas the 3rd one only works without the
> firewall.
> > >Looking at the firewall log, it seems that the VPN Concentrator is
> trying
> > >to connect to the client on port 500/UDP, which fails, of course.
> > >
> > >Maybe some kind of VPN client detection could be integrated, which
> > >automatically detects internal VPN clients trying to establish VPN
> > >sessions, and then allows the separate connection back in to go
> through?
> > >
> > >regards, tom.
> > >
> > >
> > >
> > >---------------------------------------------------------------------
> > >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch