IPSec tunnel pass-throughs

IPSec tunnels going through Internet Gate have to be specified explicitly in the VPN Pass-through field of the security profile page.

:!: The most important rule to remember is that two local clients are never allowed to contact the same remote server! (If you have multiple clients that need to connect to the same remote server consider using the IPSec NAT-T protocol instead, see below.)

You are recommended to specify all three fields for each row. (Ensures stability and reliability.) Though you can enter as many rows as you want, try to keep the number of rows low.

If remote server IP is not specified (empty field), the specified local client can access any remote server – except servers accessed by other local clients. NOTE: only one such row is allowed to be entered – multiple rows with only local client IP specified are not allowed!

If local client IP is not specified (empty field), the specified remote server can be accessed by any of the local clients – but only by one client at a time. (If you have multiple clients that need to simultaneously connect to that remote server consider using the IPSec NAT-T protocol instead, see below.)

If neither local client IP nor remote server IP is specified, any local client can access any remote server – but this mode does not work with all IPSec implementations and often results in non-stable connections, and is therefore not recommended.

Even though it is possible to enter multiple incomplete rows (with missing IP addresses), such configurations might easily lead to side effects and non-working connections and is therefore not recommended.

It doesn't matter in what order you enter the rows.

The remote server is not allowed to be behind a NAT. (If the remote server is behind a NAT consider using the IPSec NAT-T protocol instead, see below.)

IPSec and PPTP entries don't affect each other (even though they are entered into the same pass-through-list), thus you can ignore all PPTP entries when considering what IPSec entry combinations you can enter.

IPSec and IPSec NAT-T entries on the other hand do affect each other, especially when incomplete (one or two empty IP fields). Avoid such combinations as side effects or non-working connections might occur.

While standard IPSec does work in all security profiles, certain IPSec dialects do not work in Hi security profile – only in Lo. If you fail to establish an IPSec connection through Internet Gate in Hi security profile try performing the same configuration in the Lo security profile.

Read more: IPsec pass-through

IPSec NAT-T

There are two different methods of transmitting IPSec data: as raw IPSec packets, or as IPSec NAT-T: IPSec packets embedded into UDP packets (IPSec over UDP).

IPSec : raw IPSec packets are the most commonly used IPSec transmit format. However, raw IPSec has difficulty getting through firewalls and NAT-s.

IPSec NAT-T : (also called IPSec over UDP) hides IPSec packets inside common UDP packets to allow easier passage through firewalls and NAT-s. Due to this ability more and more “IPSec” servers either actually run IPSec NAT-T or allows both types of traffic to connect. NAT-T

If you have difficulties configuring your IPSec pass-throughs you might try using IPSec NAT-T instead: it allows multiple pass-throughs to same remote server, and allows the remote server to be behind a NAT.

All you have to do is configure your IPSec client to use IPSec NAT-T (also called IPSec over UDP) instead of “raw” IPSec – many IPSec servers allow communication using both IPSec and IPSec NAT-T protocols, thus they demand no changes to be made at their end.

Recommendations

If you only have one IPSec client on your local network, enter its IP address into the Local client IP field, and leave Remote server IP empty.

If you have multiple IPSec clients on your local network, enter multiple complete lines specifying for each client its IP address and the IP address of the server it connects to. Make sure no two lines have same remote server IP-s in them.

Examples

To connect 192.168.0.31 to 50.11.69.17, and 192.168.0.32 to 100.23.65.77 enter:

IPSec , 192.168.0.31 , 50.11.69.17

IPSec , 192.168.0.32 , 100.23.65.77

To connect 192.168.0.31 to both remote servers enter:

IPSec , 192.168.0.31 , 50.11.69.17

IPSec , 192.168.0.31 , 100.23.65.77

or:

IPSec , 192.168.0.31 , (empty)

The difference is that while the first version only allows the client to connect to the two specified servers (and no others), the second version allows the client to connect to any remote server.

Watch out with rules:

IPSec , 192.168.0.31 , 50.11.69.17

IPSec , 192.168.0.32 , (empty)

Please note that 192.168.0.32 can access any remote IPSec server except 50.11.69.17 – as that one is reserved for client 192.168.0.31. It does not matter if client 192.168.0.31 is actually connected to the server right now or not – as it is a static pass-through through the firewall no other client can use it. To allow both clients to be able to reach server 50.11.69.17 you should instead enter rule:

IPSec , (empty) , 50.11.69.17

that allows any inside client to contact the remote server – but not two at the same time!

(To allow multiple inside clients to simultaneously contact the remote server consider using the IPSec NAT-T protocol instead.)

Please note that it is impossible to, at the same time, connect both 192.168.0.31 and 192.168.0.32 to remote server 50.11.69.17! The closest you can come is with rule:

IPSec , (empty) , 50.11.69.17

that allows any inside client to contact the remote server 50.11.69.17 – one at a time! If 192.168.0.31 is connected, connecting 192.168.0.32 makes 192.168.0.31 immediately loose its IPSec connection.

(To allow multiple inside clients to simultaneously contact the remote server consider using the IPSec NAT-T protocol instead.)

Errors

If you have entered illegal combination of rules the first non-conformant rule is marked with XXX. Please note that the reason for the error could be another rule before or after that rule that makes usage of the marked rule impossible. Read the information on this page carefully to solve the problem.

Incomplete VPN pass-through rules (with one or both IP addresses missing) can, in certain combinations, result in other behaviour than you might have expected. Always try to fill in as many of the fields as possible.

Incomplete VPN pass-through rules (with one or both IP addresses missing) might also result in some IPSec programs failing to connect or lose connection after a while. If you experience such problems fill in both the local client and remote server IP address fields.

While standard IPSec does work in all security profiles, certain IPSec dialects do not work in Hi security profile – only in Lo. If you fail to establish an IPSec connection through Internet Gate in Hi security profile try performing the same configuration in the Lo security profile.

In the examples above, if you enter:

IPSec , 192.168.0.31 , 50.11.69.17

IPSec , 192.168.0.32 , 50.11.69.17

you will get an error, as two pass-through tunnels are not allowed to go to the same remote server.

(To allow multiple inside clients to simultaneously contact the same remote server consider using the IPSec NAT-T protocol instead.)

web_gui/ipsec_pass-through.txt · Last modified: 2010/11/15 10:21 by mats
CC Attribution-Noncommercial-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0