Home > Guides > Setting Up a Debian IPSEC NAT

Setting Up a Debian IPSEC NAT

June 14th, 2007 Leave a comment Go to comments

Network Layout

(10.0.2.0/24) ---> (10.0.2.2)
[NAT 10.0.2.2 <-> 10.130.0.2]
LAN A VPN Gateway
(193.115.229.12)
||
||
||
(193.115.229.11)
LAN B VPN Gateway B
(10.200.x.x/28) ---> (10.200.x.2)
||
||
||
(10.0.2.0/24)
LAN C

The aim is to have the two LANs on either end communicating freely with each other across a VPN tunnel where there is a confilct in the address ranges (LAN A and LAN C). In the test setup the VPN gateways have public IP addresses as the VPN tunnel will run over the Internet. Obviously, the gateways have two network interfaces – an internal interface (.2) and an external interface (.12 or .13)

The packets will flow from Lan A to Lan C as follows:

Source 10.0.2.2 > Destination 10.44.0.2
NAT changes Source 10.0.2.2 to 10.130.0.2
||
Source 10.130.0.2 > Destination 10.44.0.2
||
Tunnel 10.130.0.0/24 to 10.44.0.0/24
||
Source 10.130.0.2 > Destination 10.44.0.2

The packets will flow from Lan C to Lan A as follows:

Source 10.44.0.2 > Destination 10.130.0.2
||
Tunnel 10.44.0.0/24 to 10.130.0.0/24
||
Source 10.44.0.2 > Destination 10.130.0.2
NAT changes Destination 10.130.0.2 to 10.0.2.2
||
Source 10.44.0.2 > Desitnation 10.0.2.2

I will assume that you already have a configured system running Debian with a 2.4.x, or 2.6.x kernel – You will also need to install the following packages: racoon (ipsec-tools will be picked up as a dependancy)

aptitude update aptitude install racoon iptables iproute

Configuration

Pre-shared Key
We use pre-shared keys. The same key is placed in the /etc/racoon/psk.txt file on both gateways.

nano /etc/racoon/psk.txt
chmod 600 /etc/racoon/psk.txt (makes the file -RW --- ---)

The key is placed into the /etc/racoon/psk.txt file on both gateways. Below is a sample key entry:

193.115.229.2 key

This sample is from Gateway A, so, again, you will need to change the IP address when you edit this file on Gateway B.

Routing

For the gateways to use the VPN as well then you will need to add a special route (again slightly different on each gateway.)

This is the route on on Gateway A:

ip route add 10.44.0.0/24 dev eth0 src 10.0.2.2

This is the route on on Gateway B:

ip route add 10.130.0.0/24 dev eth0 src 10.44.0.2

This command and the changes that need to be made when adding the route on Gateway B are fairly self-explanatory. You will also need to enable IP forwarding either permanently in /etc/sysctl.conf, or temporarily, using:

echo 1 > /proc/sys/net/ipv4/ip_forward

Again, this route will be slightly different on Gateway B. Obviously, you will need to substitute eth0 with the appropriate interface.

Configuring racoon using the standard method

The traditional racoon configuration method is made of two stages: configuring racoon and then defining the IPSec security policies.

To configure racoon you will be editing the /etc/racoon/racoon.conf file on both gateways. Here is the configuration for Gateway A (the same with relevent details will need to be done on Gateway B) :

path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
The security policies go into the /etc/ipsec-tools.conf file. Here is the file from Gateway A:

flush;
spdflush;
After this you need to load the security policies and then start the racoon daemon. I use the following command:

remote 193.115.229.12 {
exchange_mode main;
send_cr off;
send_cert off;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 1;
lifetime time 86400 seconds;
}
}

sainfo address 10.44.0.0/24 any address 10.130.0.0/24 any {
pfs_group 1;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 1 hour;
}

spdadd 10.130.0.0/24[any] 10.44.0.0/24[any] any -P out ipsec
esp/tunnel/193.115.229.12-193.115.229.13/require;

spdadd 10.44.0.0/24[any] 10.130.0.0/24[any] any -P in ipsec
esp/tunnel/193.115.229.13-193.115.229.12/require;

/etc/init.d/racoon stop && /etc/init.d/setkey restart && /etc/init.d/racoon start

NATing with IPTABLES

sudo iptables -t nat -A PREROUTING -s 10.44.0.0/24 -d 10.130.0.2 -i eth0 -j DNAT --to 10.0.2.2 -v

Packets inbound (Pre-Routing) with a source address of 10.44.0.0/24 and a destination of 10.130.0.2 incomming from eth0 get changed to have a destination of 10.0.2.2

sudo iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -d 10.44.0.2 -o eth0 -j SNAT --to 10.130.0.2 -v

Packets outbound (Post-Routing) with a source address of 10.0.2.0/24 and a destination of 10.44.0.2 outgoing from eth0 get changed to have a source of 10.130.0.2

Send some traffic over the VPN a few times to bring the tunnel up

ping 10.44.0.2

Bookmark and Share
Categories: Guides Tags: , , ,
  1. No comments yet.
  1. No trackbacks yet.