List Info

Thread: questions based on the VPN behind the NAT Box.
questions based on the VPN behind the NAT Box.
user name
 2006-01-18 01:09:33 

  


  

    





Hi all,



 



I have two questions based on the VPN behind the NAT Box.



 



*****************************************************************************************************************************************************************



(192.168.6.6) VPN1 (192.168.11.1) --- (br0:192.168.11.11)
NAT1 (eth0: 192.168.252.198) ; ----- ; (eth0: 192.168.252.199) NAT2 (br0:
192.168.22.22) --- (192.168.22.2) VPN2 (192.168.8.8)



 



NAT1 and NAT2 and Linux OS.



 



On NAT1 Pure Linux PC I did:



1. ifconfig eth0:1 192.168.252.104   ;     * 192.168.252.104
is the mapping ip of 192.168.11.1, the VPN1's external interface eth0.



2. iptables -t nat -I POSTROUTING 1 -s 192.168.11.1 -j SNAT
--to-source 192.168.252.104



3. iptables -t nat -I POSTROUTING 1 -d 192.168.252.104 -j
DNAT --to-dest 192.168.11.1



 



I also did settings on NAT2, mapping 192.168.22.2 to
192.168.252.105.



 



*****************************************************************************************************************************************************************



 



I have successfully established the tunnel between VPN1 and
VPN2.



 



~~~~~~~~~~~~~~~~~~~~~~~~~~~~



1.  But my first try is without Leftid and Rightid in the
ipsec.conf in VPN1 and VPN2,



it failed to establish the M3 negotiation (m1 and m2 in Main
Mode is ok, i checked with 'ipsec auto --status').



IKE RFC 2409 says: Main Mode, the last two messages
authenticate the DH exchange.



 



2.  But if VPN1 direct to VPN2 (without NAT Box), then
without leftid and rightid can establish the tunnel at this time.



 



~~~~~~~~~~~~~~~~~~~~~~~~~~~~



 



My questions:



 



1. 



I am wonderring what purpose of the system identifier id
(left and right) in the ipsec.conf?



I refered some papers, but i am still in the mist.



 



Hope to get advise from you, especially why specify the
'left=ip' and 'right=ip' are not enough for such case vpn behind NAT
Box(firewall). why need leftid and rightid?



 



2.



I used pure linux os as a NAT1 and NAT2 firewall, but once i
restart, the ipconfig eth0:1, and iptables setting will be lost, i need to redo
the three settings.



I am wonderring also at this time, for this case, any other
way can configure the linux to be permanent has the above three settings?



 



~~~~~~~~~~~~~~~~~~~~~~~~~~~~



 



 



Thanks very much.



 



Regards,



 



Shi Lang



Quality Assurance Engineer



GreenPacket Bhd



www.greenpacket.com




Tel:
006-03-89966022 ext: 105

E-mail: greenpacket.com" title="mailto:fehenggreenpacket.com">shilanggreenpacket.com



 






  

  
  
   
     
    






 [1]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )