# VPN through NAT (IPsec)

## sven

Has anyone sucessfully connected to a VPN through a NAT with FreeS/WAN? My computer sits behind a hardware router (NAT) and I am unable to connect to a VPN. I've forwarded port 500 UDP to my linux machine but my router is unable to forward protocols 50 and 51 ESP which are also needed by FreeS/WAN.

I found a NAT traversal patch at http://open-source.arkoon.net/ which packs ESP packets into UDP packets but I was unable to apply it. Can someone create an ebuild for this, please?

----------

## ghost_o

Hmmm.  A little bit of clarification is needed.  You talk about your router not being able to forward protocols and your linux box needing patches.  

Can you describe what your network looks like a bit more?  Is your linux box the router as well?  If not, then no patches are needed.  What type of router do you have?

-G

----------

## Xor

well, IPSec and NAT are enemies... they don't like each other... avoid it if you can. I heard that LAN-2-LAN VPNs work in Tunnel mode and ESP... good luck  :Smile: 

----------

## sven

My network looks like this:    

Internet --- NAT (router) --- Gentoo machine

There are more computers in my network but that does not matter at the moment. The NAT is a hardware router, to be exact, it's the Compex NetPassage 15-B. I want to connect my Gentoo machine to a VPN.

----------

## ghost_o

Not familiar with that router, but for mine to work, I had to forward ports 50 and 51 to my machine from the router as well as use a static ip address on the inside so the mappings would stay the same always.

Does that router have that capability?

Once the software was available, I just created the vpn with the router and let it do all of the routing and session management and removed it from my Linux box.  I have a cisco 827 that does my IPSec tunnels for me.  Willl your router do that?

-G

----------

## sven

 *ghost_o wrote:*   

> ports 50 and 51

 

ports or protocols? TCP or UDP?

 *ghost_o wrote:*   

> Does that router have that capability?

 

It can forward ports, yes, and I am using a static IP address. It has no VPN/IPsec tunneling features though.

----------

## mrchuckles

IPsec will not work through NAT.  NAT rewrites the packet headers, which is a no-no with IPsec, an end-to-end protocol.  In order to get this to work, your router would have to be the IPsec endpoint, not your desktop.  I've never set this up, but I'm sure it can be done.  Look through the docs of your router for sections like "VPN passthrough".

There's a good article on the M$ website (of all places) that explains the IPsec NAT issue.  Check it out.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0802.asp

----------

## sven

I'm afraid you are probably right. The NAT traversal patch mentioned above should work around this problem but I was unable to apply it. My router does not have any VPN functions  :Sad: 

----------

## ghost_o

 *mrchuckles wrote:*   

> IPsec will not work through NAT.  NAT rewrites the packet headers, which is a no-no with IPsec, an end-to-end protocol.  In order to get this to work, your router would have to be the IPsec endpoint, not your desktop.  I've never set this up, but I'm sure it can be done.  Look through the docs of your router for sections like "VPN passthrough".
> 
> There's a good article on the M$ website (of all places) that explains the IPsec NAT issue.  Check it out.
> 
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0802.asp

 

Most any reputable company that produces NAT products already has software upgrades to make them IPSec compliant. 

You need to map ports 50 and 51 TCP through to your machine *OR*  there should be a patch like you said for the kernel you are using.

Kepp in mind that the tunnel endpoint will be hashed from your local IP while the packet will be renumbered from the router, so the endpoint device must be NAT capable as well.  Nortel and Cisco devices are for sure, but others I am not positive about.  It must be explicitly configured on them though.

-G

----------

