How to apply NAT before IPSec on outgoing packets

To: "tech-net%NetBSD.org@localhost" <tech-net%NetBSD.org@localhost>
Subject: How to apply NAT before IPSec on outgoing packets
From: "Daniel Zebralla (A.P.E. IT-Security - Hard- & Software Development)" <D.Zebralla%ape-net.com@localhost>
Date: Mon, 2 Nov 2009 16:23:09 +0100

Hi,

we have a network setup where we have a NAT-router (running NetBSD 5.0-release) 
communicating with a VPN gateway through IPSec-tunnel mode. The NAT-Router 
should forward all packets from the internal network to the remote site.
We are currently experiencing problems with NAT in combination with IPsec.

Our setup:

Internal LAN <====> router <====> IPSec over public network <=> VPN-GW <=> 
Corporate LAN

So far, the IPSec-tunnel comes up (using raccoon and tunnel mode), but the 
problem is that our router also needs to do NAT on outgoing packets so that we 
can allow the same IP addresses for internal LANs on several sites. Currently, 
we use the external network interface for NAT. 

We see problems when sending a packet from the internal LAN to the corporate 
LAN: After NAT, the IPSec encryption needs to be applied on the source IP 
addresses. The IPsec configuration currently is for the NATed network on the 
local side, and everything (0.0.0.0) on the remote side. 

Using tcpdump and code inspection, we found out that IPSec encryption is 
applied before NAT, so in our case, no IPsec encryption is done at all (as we 
only encrypt what comes from the NATed network), and the packets are sent 
unencrypted after NAT was applied on them.

What we would need is to first get our source IP address go through NAT, and 
then have IPsec processing applied.

We found an older posting 
http://mail-index.netbsd.org/tech-net/2009/06/12/msg001385.html regarding the 
same problem in the opposite direction. Therefore we expect that we also need 
to patch the kernel sources in order to make our system apply NAT first and 
IPSec after that on outgoing packets.

If anyone has a similar configuration running or can advise us where to look 
inside the kernel sources to get this done, this would be much appreciated.

We're glad to provide more details if needed.
Please CC: me on replies as I'm not subscribed to this list (yet).

Thanks in advance!
- Daniel

A.P.E. GmbH
Hard- & Software Development
Daniel Zebralla
Galgenbergstraße 2a - Posthof
93053 Regensburg - Germany
Telefon +49 (941) 78385-460
Telefax +49 (941) 78385-150
D.Zebralla%ape-net.com@localhost
http://www.ape-net.com

_______________________________________

A.P.E. GmbH  IT-Security
Sitz der Gesellschaft: Regensburg
Handelsregister: HRB 5953, Regensburg
Geschäftsführer: Dr. Dieter Steiner

Follow-Ups:
- Re: How to apply NAT before IPSec on outgoing packets
  - From: Daniel Zebralla (A.P.E. IT-Security - Hard- & Software Development)

Prev by Date: Re: wm(4): enable jumbo frames on i82574{L,IT}
Next by Date: ARP probes dropped - breaks RFC 2131, 3927, 5227
Previous by Thread: wm(4): enable jumbo frames on i82574{L,IT}
Next by Thread: Re: How to apply NAT before IPSec on outgoing packets
Indexes:

Home | Main Index | Thread Index | Old Index