Networking Forums  

Go Back   Networking Forums > Networking Newsgroups > Windows Server Networking
Reload this Page IPsec tunnel through NAT & TUN adapters - How?

IPsec tunnel through NAT & TUN adapters - How?

Reply
 
Thread Tools Display Modes
  #1  
Old 08-27-2007, 08:44 PM
Default IPsec tunnel through NAT & TUN adapters - How?


We are trying to create an ipsec tunnel between two hosts with windows 2003
server operating systems. First of these servers (A) is connected directly to
the internet and has been assigned a public IP address. Second server (B) is
in a private network N with addressing scheme 192.168.0.0/24, behind NAT
router with Linux OS. Both of these hosts have installed a TUN virtual
adapter with addresses 10.1.0.1/16 and 10.2.0.1/16:

(tun 10.2.0.1/16) A --------- internet ------- NAT -------N ------ B (tun
10.1.0.1/16)

Our ipsec configuration is based on article
http://support.microsoft.com/kb/816514/en-us .

Ipsec policy for host A:
- Incoming rule
o Filter from specific subnet 10.1.0.0/16 to specific subnet 10.2.0.0/16,
not mirrored, any protocol,
o Filter action Require security
o Authentication with Preshared key
o Tunnel endpoint: public IP address of host A
- Outgoing rule
o Filter from specific subnet 10.2.0.0/16 to specific subnet 10.1.0.0/16,
not mirrored, any protocol,
o Filter action Require security
o Authentication with Preshared key
o Tunnel endpoint: public IP of NAT router

Ipsec policy for host B:
- Incoming rule
o Filter from specific subnet 10.2.0.0/16 to specific subnet 10.1.0.0/16,
not mirrored, any protocol,
o Filter action Require security
o Authentication with Preshared key
o Tunnel endpoint: private IP address of host B on private network
- Outgoing rule
o Filter from specific subnet 10.1.0.0/16 to specific subnet 10.2.0.0/16,
not mirrored, any protocol,
o Filter action Require security
o Authentication with Preshared key
o Tunnel endpoint: public IP address of host A

All rules on both hosts have Connection Type set to All network connections.
The router with NAT is redirecting all UDP/500 and UDP/4500 traffic from
outside directly to host B.

The problem is, that after activating both policies and trying to ping host
10.1.0.1 from host A, ping requests time out and no security negotiation
happens. Even sniffing traffic on both hosts with Wireshark and Tcpdump on
Linux router shows no packets. Static routes are set, as described in
aforementioned article.
Purpose of this configuration was to create a tunnel from host A into
private network, but without access to any other component, other than host B.



Kris
Reply With Quote
Reply

Tags
adapters, ipsec, nat, tun, tunnel

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 08:46 AM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.