Contivity VPN woes

bscott at ntisys.com bscott at ntisys.com
Sun Nov 17 20:33:41 EST 2002 

On Sat, 16 Nov 2002, at 11:15am, mod+gnhlug at std.com wrote:
>> Please inform your husband that his firewall
>> needs to allow outbound UDP port 50 and IP
>> protocol 500.

  That is incorrect in at least one way, and likely two.

  Most likely, your wife's IT department is using IPsec with IKE and ESP.  
If so:

  You need to allow IKE (Internet Key Exchange), which is UDP port 500.  
IKE is used to automatically setup the IPsec SA (Security Associations).  
An IPsec SA can be thought of as an IPsec "session".

  You also need to allow ESP (Encapsulated Security Payload), which is IP
protocol 51.  ESP encapsulates an IP datagram in another datagram, adding
authentication and encryption.  The authentication is only done on the
encapsulated datagram, so you can rewrite the outer datagram's header
without fear of it being rejected.

  IP protocol 50 is AH (Authentication Header), which is not compatible with
NAT.  AH adds authentication information to an IP datagram without
encapsulating it; it provides only authentication, not encryption.  Because
NAT modifies the headers of IP datagrams, it is not compatible with AH.  
Fortunately for you, however, AH is (currently) rarely used.

  Note that an IP protocol is below the level of UDP or TCP.  TCP is IP
protocol 6, and UDP is IP protocol 17, for example.

> If he is doing NAT, then there needs to be a way to let an IPsec tunnel
> through without manipulating the packet.

  Not possible.  NAT, by definition, modifies the packet header.  
Fortunately for you, I suspect your wife's employer's IT guy does not really
understand what he is talking about.  (This is less fortunate for your
wife's employer.)

> Is my firewall scrogging us?

  Yes, but that is likely easily fixed.  What distribution and release are
you running?  What version of the Linux kernel?  What kind of firewall
(IPCHAINS, IPTABLES)?  Where did the firewall com from (with the
distribution, third-party, do-it-yourself)?

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do not |
| necessarily represent the views or policy of any other person, entity or  |
| organization.  All information is provided without warranty of any kind.  |

More information about the gnhlug-discuss mailing list