[pptp-server] Linux NAT support PPTP packet editor/filter?

Thu Nov 18 16:34:34 CST 1999

Be careful!!

> If you want to do IPSEC with NAT you have to include the IPSEC 
> MASQ

Refs: A Comprehensive Guide to Virtual Private Networks, IBM.
Virtual Private Networking: An Overview White Paper - DRAFT, 3/18/98
Microsoft.
"...
The weakness of NAT in context to VPNs is that by definition the NAT-enabled
machine will change some or all of the address  information in an IP packet.

When end-to-end IPSec authentication is used, a packet whose address has
been changed will always fail its integrity check under the AH protocol,
since any change to any bit in the datagram will invalidate the integrity
check value that was generated by the source.
Within the IETF, there is a working group that is looking at the deployment
issues surrounding NAT. This group has been advised by the Internet
Engineering Steering Group (IESG) that the IETF will not endorse any
deployment of NAT that would lead to weaker security that can be obtained
when NAT is not used. Since NAT makes it impossible to authenticate a packet
using IPSec¢ s AH protocol, NAT should be considered as a temporary measure
at best, but should NOT BE pursued as a long term solution to the addressing
problem when dealing with secure VPNs.
IPSec protocols offer some solutions to the addressing issues that were
previously handled with NAT.  
..."

Refs:  ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
"...
VPN Masquerade is the part of IP Masquerade which enables you to use
IPsec-based and PPTP-based Virtual Private Network clients from behind a
shared-access firewall. 

This is primarily used for masquerading IPsec and PPTP VPN clients:
IPsec
Client -.
        |   Linux                                  IPsec
PPTP   -+-> Masq and --> Internet --> Firewall --> or PPTP
Client  |   Firewall                               Server
        |
Others -+
        |
No other software is needed to masquerade VPN clients. 
It can also be used to provide access to a Private Network IPsec or PPTP
server behind a Linux firewall...
IPsec                    Linux        Private-IP
or PPTP --> Internet --> Firewall --> PPTP or IPsec
Client                                Server
...
But,...
The IPsec AH protocol (51/ip) incorporates a cryptographic checksum
including the IP addresses in the IP header. Since masquerading changes
those IP addresses and since the cryptographic checksum cannot be
recalculated by the masquerading firewall, the masqueraded packets will fail
the checksum test and will be discarded by the remote IPsec gateway.
Therefore, IPsec implementations that use the AH protocol cannot be
successfully masqueraded. Sorry. 
..."

Regards

Emir Toktar

+55 (**41) 340-7157
emir.toktar at bra.xerox.com 
toktar at per.com.br
toktar at ppgia.pucpr.br

-----Original Message-----
From: geoff nordli [mailto:geoff at gnaa.net]
Sent: Wednesday, November 17, 1999 11:47 PM
To: 'tmk'; 'Chuck Flink'; pptp-server at lists.schulte.org
Subject: RE: [pptp-server] Linux NAT support PPTP packet editor/filter?

If you want to do IPSEC with NAT you have to include the IPSEC 
MASQ  

ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html

There is a section in there where it talks about masq and IPSEC.

Geoff Nordli

> Desired:  Linux configuration on PCb with similar functionality.

linux masq + pptp masq module will do exactly this.

> I believe IPsec / L2TP cannot be filtered / edited to pass through
> NAT gateways like PPTP can.... correct me if I'm wrong.  I'd
> prefer to use the more open IPsec standard if it could be made
> to be as transparent as PPTP.

i believe ipsec encrypts everything (that is useful to NAT) but the dest
address, so masq wont do ipsec to my knowledge.

Kevin

_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
List services provided by www.schulte.org!