[ previous ] [ next ] [ threads ]
 
 From:  Jim Gifford <jim at giffords dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: SV: [m0n0wall] VPN ipsec m0n0 to m0n0
 Date:  Sat, 20 Mar 2004 13:28:40 -0500
No, AH is Authenticated Header, which means that there is a cyptographic
signature for the packet headers.  So, when the packet headers get
rewritten (that's what NAT does), it invalidates the cryptographic
signature for the header.  AH can't possibly work correctly behind NAT.

jim

On Sat, Mar 20, 2004 at 07:22:15PM +0100, Ronni J?rgensen wrote:
> I have forwarded all ports/esp (AH don?t work behind NAT!)!!
> 
> -----Oprindelig meddelelse-----
> Fra: Falcor [mailto:falcor at netassassin dot com] 
> Sendt: 20. marts 2004 16:50
> Til: Ronni Jorgensen
> Cc: m0n0wall at lists dot m0n0 dot ch
> Emne: Re: [m0n0wall] VPN ipsec m0n0 to m0n0
> 
> you need to forward ESP to the m0n0wall.  UDP/TCP/ICMP are not needed as the
> tunnel will be negociated and established over ESP.  (You can change this to
> AH if you want to.)
> 
> 
> Ronni Jorgensen wrote:
> 
> >Hi all
> >I have 2 m0n0walls, one with a static IP on the WAN port, and a secound 
> >m0n0 bihind a NAT router (also a static IP!) 
> >---LAN---m0n0----WAN-------INTERNET-------WAN-----ROUTER----NAT----WAN-
> >---m0
> >n0wall---LAN
> >
> >192.168.2.0/24----m0n0---80.122.254.21-----INTERNET-----212.242.22.21--
> >-ROUT ER---10.0.0.0/24----m0n0wall---172.16.10.0
> >
> >I have forwardet all ports udp/tcp/icmp to the m0n0wall's WAN ip
> (10.0.0.2).
> >But when I configured a Ipsec connection betwin the 2 m0n0walls it's 
> >going bad! On the m0n0wall behind the NAT I get:
> >
> >???racoon: ERROR: isakmp.c:1776:isakmp_chkph1there(): phase2 
> >negotiation failed due to time up waiting for phase1. ESP 
> >80.122.254.21->10.0.0.2
> >- in the logfile. And 10.0.0.2 i not the wan ip! So how can I get it 
> >working?
> >I olso have triede to change the the interface (???Select the interface 
> >for the local endpoint of this tunnel.) in the ipsec, to my LAN, but 
> >then the logfile i changing to 80.122.254.21->172.16.10.1 (my lan ip)
> >
> >Please help!
> >
> >  
> >
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>