[ previous ] [ next ] [ threads ]
 
 From:  "Simon Buob" <simon dot buob at lan dot ch>
 To:  "Nicolai Scheer" <scope at planetavent dot de>, "Mark Huizer" <xaa at dohd dot org>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Problems with IPSEC and NAT over m0n0wall fw
 Date:  Mon, 6 Mar 2006 18:29:33 +0100
hi Nico

>If, and it seems so, the Nat-T issue keeps me/us from connecting, this
>is, as already stated, a serious limitation.

It is :(

>Is there any way to get around this?

Waiting till release of Version 1.3 (will be FreeBSD 6.x based AFAIK)

>And, by the way, I'm not in the details, why does PPTP work with the
>same setup?

It seems you unterstand the german language so i give you an article,
which describes this [1].
In Other Words. The Allocation of the VPN Clients to the coresponding
PPP Tunnel is *not* encrypted, so the Nat has no problems to see
which ID belongs to which Client.
So you have this allocation of this Call Ids to the Client in the NAT Table.
This is also called PPTP Pass Through.

[1] http://www.heise.de/mobil/artikel/67955/2


Simon

-----Original Message-----
From: Nicolai Scheer [mailto:scope at planetavent dot de] 
Sent: Monday, March 06, 2006 4:32 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Problems with IPSEC and NAT over m0n0wall fw

Hi!

Mark Huizer schrieb:
> Hello,
> 
> I checked google and the m0n0wall mailinglist for something resembling
> my problems, but I couldn't find anything that was close enough.
> 
> We have a vpn gateway at a public IP address (linux, openswan,
> certificates) using IPSEC/L2TP vpns for Windows XP roadwarriors.
> 
> So far so good, works like a charm.
> 
> Now one roadwarrior has a m0n0wall firewall at home, and he cannot get
> the VPN working.
> 
> The setup is basically:
> 
> VPNGW  ---- internet ---- m0n0wall ----- Windows XP
> 
> the m0n0wall is doing nat, no firewalling, just a basic 'insert cd,
> configure lan/wan interfacs and dhcp and connect the windows box'
> install. The version is 1.21
> 
> I installed a minimal FreeBSD system (FreeBSD 6.0) with ipfw/natd, to
> make sure that his Windows configuration wasn't the issue, and as to be
> expected: that worked like a charm.
> 
> It seems that somehow the NAT or some other IP related issue at the
> m0n0wall box is causing this vpn connection not to work.
> 
> The VPN gateway sees traffic coming in, some traffic is exchanged but as
> soon as the NAT-T related stuff should kick in, the problems start.
> With tcpdump on the vpngw I see traffic coming in at udp 4500 as
> expected from the windows box, but no replies. The logfiles at the vpngw
> talk about malformed payloads.
> 
> Is this a known problem? Can anyone provide me with some pointers on how
> to solve this issue, or explain why this is a limitation somehow?

I read about this in the documentation a few days ago:

8.1.2. Remote Access IPsec VPN
http://doc.m0n0.ch/handbook/ipsec.html#id2598234

I wonder, if this is the issue, that keeps me from connecting to my
m0n0wall via ipsec...

My home Net -- m0n0wall -- the internet -- some nat router -- me wanting
to access my home net

If, and it seems so, the Nat-T issue keeps me/us from connecting, this
is, as already stated, a serious limitation.

Is there any way to get around this?

And, by the way, I'm not in the details, why does PPTP work with the
same setup?

Thanks!

bye,

Nico
smime.p7s (5.9 KB, application/x-pkcs7-signature)