VPN through NAT?

[Chuck Swiger]

On Aug 14, 2006, at 11:19 AM, Jeff Norris wrote:
> IPSEC NAT traversal uses UDP 4500?  Who implementation?  Cisco,  
> Nortel, BSD?  I belive 4500 is Cisco's way of doing it, but not all  
> IPSEC vpn clients are the same.  I use one that uses UDP port 10000  
> for nat traversal.

Cisco will use either 4500/udp or 10000/tcp; the former is supposed  
to be more friendly for NAT traversal.  It also seems to want to use  
a high port in the 6xxxx range for a debug channel if you use the  
"connection diagnostics" via SDM on a Cisco VPN router.

I've done a fair amount of debugging this from both the client and  
the server side; you pretty much need to have the VPN endpoint  
(whether client or server) assigned a static IP for GRE protocol  
redirection to work, so if you are dealing with clients using dynamic  
IPs, you'll want to set up a static IP assignment via your DHCP server.

Place the following into /etc/natd.conf (if using IPFW+natd):

   redirect_proto gre A.B.C.D
   redirect_port tcp A.B.C.D:isakmp isakmp     # port 500
   redirect_port udp A.B.C.D:isakmp isakmp     # port 500
   redirect_port tcp A.B.C.D:pptp pptp         # port 1723
   redirect_port udp A.B.C.D:4500 4500
   redirect_port tcp A.B.C.D:10000 10000
   redirect_port udp A.B.C.D:62515 62515

...where, obviously, you would use the local IP address of the client  
or server instead of A.B.C.D.  The above also seems to work OK with  
the Sonicwall VPN client and Microsoft's VPN remote access ("terminal  
services"? or whatever it's called).

If you have multiple clients trying to use the VPN from behind NAT,  
note that you can only have one VPN endpoint per externally routable  
IP, so you will have to configure separate natd's for each one.   
You'd probably be better off terminating the VPNs on the NAT machine  
if that is the case...

-- 
-Chuck