Настройка проброса L2TP через NAT
L2TP сервер слушает на портах udp 1701 и udp 500.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec\AssumeUDPEncapsulationContextOnSendRule
и установить его значение в 2. Перегрузить компутер. Для удобства добавления, я приложил reg-файлик с этим параметром.
На шлюзе перед сервером в iptables создаём несколько правил для прохождения пакетов от windows xp к windows 2003 и обратно (eth1 - wan интерфейс):
iptables -A FORWARD -d 192.168.0.1/32 -i eth1 -p udp -m udp --dport 500 -j ACCEPT iptables -A FORWARD -s 192.168.0.1/32 -o eth1 -p udp -m udp --sport 500 -j ACCEPT iptables -A FORWARD -d 192.168.0.1/32 -i eth1 -p udp -m udp --dport 4500 -j ACCEPT iptables -A FORWARD -s 192.168.0.1/32 -o eth1 -p udp -m udp --sport 4500 -j ACCEPT
iptables -t nat -A PREROUTING -d 88.88.88.88/32 -p udp -m udp --dport 500 -j DNAT --to-destination 192.168.0.1 iptables -t nat -A PREROUTING -d 88.88.88.88/32 -p udp -m udp --dport 4500 -j DNAT --to-destination 192.168.0.1 iptables -t nat -A POSTROUTING -d 192.168.0.1/32 -p udp -m udp --dport 500 -j SNAT --to-source 88.88.88.88 iptables -t nat -A POSTROUTING -d 192.168.0.1/32 -p udp -m udp --dport 4500 -j SNAT --to-source 88.88.88.88
Посмотрел TCPDump'ом:
NAT traversal and IPsec
http://en.wikipedia.org/wiki/NAT_traversal
In order for IPsec to work through a NAT, the following protocols need to be allowed on the firewall:
- Internet Key Exchange (IKE) - User Datagram Protocol (UDP) port 500
- Encapsulating Security Payload (ESP) - IP protocol number 50
or, in case of NAT-T:
- IPsec NAT-T - UDP port 4500
Often this is accomplished on home routers by enabling "IPsec Passthrough".
The default behavior of Windows XP SP2 was changed to no longer have NAT-T enabled by default, because of a rare and controversial security issue. This prevents most home users from using IPsec without making adjustments to their computer configuration. To enable NAT-T for systems behind NATs to communicate with other systems behind NATs, the following registry key needs to be added and set to a value of 2:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec\AssumeUDPEncapsulationContextOnSendRule
IPsec NAT-T patches are also available for Windows 2000, Windows NT and Windows 98.
One usage of NAT-T and IPsec is to enable opportunistic encryption between systems. NAT-T allows systems behind NATs to request and establish secure connections on demand.