[SunHELP] IPSec and firewalls

[John Duksta]

At 04:46 PM 3/7/2001 +0000, Jon Still wrote:
> > i don't know a whole lot about IPSec, so, is it possible to have the 
> machine
> > at work initiate the tunnel so that it can get out of the firewall and 
> connect
> > to my home machine?  on what port would it be connecting to so i can allow
> > a connection to that port and redirect it to the correct machine at home.
>
>It's been a while since I touched IPSEC, but ISTR that it uses a totally
>different IP type (i.e. not TCP nor UDP) called ESP (Encapsulated 
>Payload).  It
>will be this that you need to forward at your firewall to your solaris 
>machine.
>As to how you'd go about doing this - I'm afraid I haven't got a clue!

Here's the deal with IPSec.

ISAKMP uses UDP/500 (source and dest ports should always be 500)
ISAKMP sets up the Security Associations that ESP uses to tunnel
the traffic. This is where all your authentication and key mgmt
happens.

ESP uses IP *Protocol* 50. This is where your actual encrypted
traffic runs. ESP has two modes, tunnel mode and transport mode.
Tunnel Mode is what you normally see these days in VPN clients
and VPN gateways (like the Nortel Contivity, Altega, etc.)
Tunnel mode encapulates the whole packet (including IP headers)
and ships it to the other tunnel endpoint to be decrypted and
unwrapped.

Transport mode on the other hand only encrypts the payload of the
IP packet. That is, the data from layer 4 up gets encrypted (TCP, UDP).
Transport mode isn't really that prevalent these days as mode endpoints
don't directly support IPsec.

AH (Authentication Header) runs on IP Protocol 51. It does *NOT* provide
any encryption. It merely cryptographically checksums the packet to make
sure that it wasn't tampered with in transit. While it is a part of the
IPSec standards and everyone implements it, almost no one uses it because
(a) there is no privacy provided by it and (b) it doesn't work in a NAT'ed
environment.

On to getting your tunnel working (maybe)

You note that both your machines at work and at home are behind NAT'ing
firewalls. You also note that the network folks say they won't make any
changes to the firewall to support this. This may be bad.

First off, check with the network folks to see if the firewall will even
pass ESP (IP/50). If it won't and they won't change that, then you're hosed.

Next, you'll need to configure your IPFilter config at home to forward
the ISAKMP (UDP/500) and ESP packets in to the Solaris 8 box on your home
LAN.

If they firewall at work will forward ESP, then you'll probably only be
able to start the connection from the office (again, due to the fact that
they said they wouldn't make any firewall changes for you). I'm guessing
that they are running some sort of stateful inspection firewall (like
Checkpoint) so if it sees the traffic initiated from inside, it should allow
the return connections to come back.

If all of this lines up, then you'll want to set up the Solaris box at work
to connect to your public interface (e.g. the outside interface of your 
firewall)
at home. The firewall at work should rewrite the source addresses as it's
external interface and your IPSec client at home should use that address.

I don't have any specific experience with the Solaris 8 IPSec client, but
hopefully this should be enough to get you started on figuring out whether
this is even possible.

One more thing... if you see the IKAKMP negotiate ok, but then no traffic
passes, then ESP isn't passing through the firewall(s) properly.

HTH,

-john


--
John C.C. Duksta, CISSP                      <jduksta at genuity.com>
PGP Fingerprint: 2037 FB34 8D4A 22D7 3EB3 EEF9 3ABA 997E F964 0EAF