Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
AIX <-> Linux IPSec w/NAT
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
sbelgard
n00b
n00b


Joined: 20 Nov 2013
Posts: 2

PostPosted: Wed Nov 20, 2013 6:56 pm    Post subject: AIX <-> Linux IPSec w/NAT Reply with quote

I am trying to establish IPSec w/sharedkey between AIX 5.3 and RH Linux 2.6.18. The AIX is reached via NAT only.

AIX actual IP:x.x.x.x
Linux actual IP: y.y.y.y

Linux needs to use z.z.z.z to reach AIX

An AIX ping to Linux shows source as z.z.z.z on Linux side
A Linux ping to AIX shows source as y.y.y.y on AIX side

I have no problem with direct (no NAT) IPSec between AIX & Linux where no GW is involved.

I kick off racoon on Linux first and then do AIX side. AIX gets "Active" on phase 1 and 2 but ant TCP or ping traffic is one sided. On Linux I do see SPI values
for x.x.x.x -> y.y.y.y and y.y.y.y -> x.x.x.x

Any sample config files would be appreciated.

Best,
Scott
Back to top
View user's profile Send private message
blu3bird
Retired Dev
Retired Dev


Joined: 04 Oct 2003
Posts: 612
Location: Munich, Germany

PostPosted: Wed Nov 20, 2013 9:42 pm    Post subject: Reply with quote

Did you enable nat traversal on both systems? If yes, try to set it to force in racoon.conf.
Code:
remote z.z.z.z {
  nat_traversal force;
}

If nat traversal is disabled, isakmp traffic will still work, because it uses udp.
But "real" vpn data packets (esp) won't go through the nat gateway.
_________________
Black Holes are created when God divides by zero!
Back to top
View user's profile Send private message
sbelgard
n00b
n00b


Joined: 20 Nov 2013
Posts: 2

PostPosted: Wed Dec 04, 2013 7:16 pm    Post subject: AIX->Lunix IPSec w/NAT Reply with quote

:D Success! Linux side needed a few spdadd statements

"spdadd y.y.y.0/24 x.x.x.0/24 any -P out ipsec esp/tunnel/y.y.y.y -z.z.z.z/require;"
"spdadd x.x.x.0/24 y.y.y.0/24 any -P in ipsec esp/tunnel/z.z.z.z-y.y.y.y /require;"
"spdadd x.x.x.0/24 y.y.y.0/24 any -P fwd ipsec esp/tunnel/z.z.z.z-y.y.y.y /require;"
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum