Understanding ipsec with NAT and dynamic IP's

Question

I'm using OpenSWAN to set up a net-to-net VPN tunnel. I have succeeded in configuring a test scenario as follows:

About test and test2:

• they are Ubuntu 12.04 virtual machines created using ubuntu-vm-builder
• they use bridged networking to the host's physical ethernet (the 192.168.0.0/24 subnet).
• I installed the standard openswan package.
• each has a dummy interface which is accessible from the other end of the VPN tunnel.

This is how I configured the tunnel:

/etc/ipsec.conf (identical on both left and right):

version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn net-to-net
    authby=secret
    left=192.168.0.11
    leftsubnet=10.1.0.0/16
    leftsourceip=10.1.0.1
    right=192.168.0.12
    rightsubnet=10.2.0.0/16
    rightsourceip=10.2.0.1
    auto=start

/etc/ipsec.secrets (identical on both left and right):

192.168.0.11 192.168.0.12: PSK "mytestpassword"

/etc/rc.local (on left):

modprobe dummy
ifconfig dummy0 10.1.0.1 netmask 255.255.0.0

iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 ! -d 10.2.0.0/16 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart

exit 0

/etc/rc.local (on right):

modprobe dummy
ifconfig dummy0 10.2.0.1 netmask 255.255.0.0

iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 ! -d 10.1.0.0/16 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart

exit 0

Now, I would like to set up the following scenario:

Issues I need to understand:

• Can IPSec connect through a VPN gateway which is sharing a public ip via NAT (inbound NAT traversal)? Do NAT-T and IPSec passthrough relate to this or are they just for outbound NAT (i.e. dealing with clients which are behind NAT but where the gateway has a public IP)? Would it be sufficient to forward some ports from router1 to test, or would that be incompatible with IPSec?
• Can both ends of an IPSec tunnel have dynamic IP's as long as one has a domain name and dynamic dns?

Answer 1

Can IPSec connect through a VPN gateway which is sharing a public ip via NAT (inbound NAT traversal)? Do NAT-T and IPSec passthrough relate to this or are they just for outbound NAT (i.e. dealing with clients which are behind NAT but where the gateway has a public IP)? Would it be sufficient to forward some ports from router1 to test, or would that be incompatible with IPSec?

NAT-T as defined in RFC 3947 / 3948 is a UDP encapsulation of IPSec traffic. Without this encapsulation, IPSec uses own protocol types underneath of IP for both - the transport and the tunnel modes, making it impossible to work through NAT. With the UDP encapsulation, it would work over any NAT device capable of handling UDP.

The direction of the connection establishment does matter indeed as NAT routers are stateful and maintain UDP "connection" information only allowing for UDP "connections" initiated from within the NATed network. Creating a port forwarding rule for the UDP port used by IKE and the UDP encapsulation for ESP (4500/udp) would overcome this limitation, but obviously only allow for a single IPSec host configured in this way behind the NAT device.

Can both ends of an IPSec tunnel have dynamic IP's as long as one has a domain name and dynamic dns?

Yes, you do not need a static IP address, although it is likely to make your life easier as it removes two single points of failure (the DDNS provider / update process) from your configuration. Note that running with dynamic IP addresses on both ends with PSK authentication would require aggressive mode for IKE phase 1.

Answer 2

I'm generally not the kind of guy to answer a well-thought out question with "go use something else", but... IPSec VPNs are always a problem to set up. Adding in NAT and dynamic IP's is just an invitation for frustration.

Have you taken a look at OpenVPN at all? It's a SSL-based VPN that tunnels everything through UDP port 1194 so you're not having to deal with ESP. You could probably get your WAN up-and-running in less than hour.