| 1 |
On Monday, 11 June 2018 17:47:16 BST Grant Taylor wrote: |
| 2 |
> On 06/11/2018 04:55 AM, Mick wrote: |
| 3 |
> > You'll need a trusted gateway to do the unwrapping and then forwarding |
| 4 |
> > to the next hop (SSH forwarding). If you attempt TCP-tunneling |
| 5 |
> > (TCP-over-TCP) you'll soon experience 'TCP meltdown' with upper and |
| 6 |
> > lower TCP layers' retransmission timeouts. |
| 7 |
> |
| 8 |
> I disagree. |
| 9 |
> |
| 10 |
> If I can establish an HTTPS (or other TCP connection to carry TLS |
| 11 |
> traffic) out through multiple layers of NAT (SOHO router + CGN + ???) to |
| 12 |
> a server with a globally routed IP address, I should be golden. |
| 13 |
> |
| 14 |
> NAT will do what it needs to with the internal IPs to establish the |
| 15 |
> connection from the deeply buried client out to the TLS VPN server. |
| 16 |
|
| 17 |
As I understand it, the CGN router will rewrite the IP headers and ports from/ |
| 18 |
to the SOHO router using PCP. This is not a TCP-over-TCP tunnel. |
| 19 |
|
| 20 |
|
| 21 |
> The connection will (extremely likely) be kept alive with various |
| 22 |
> different methods (TCP keep alive or VPN keep alive or pings through the |
| 23 |
> VPN) such that the upstream gateway can send data back to the client |
| 24 |
> through the established VPN. |
| 25 |
|
| 26 |
Outgoing connections will be OK, but to run a local server I believe you'll |
| 27 |
need to set up an external 'rendezvous server' to facilitate incoming |
| 28 |
connections, since the double NAT'ed local server will not have a public |
| 29 |
facing IP address. |
| 30 |
|
| 31 |
|
| 32 |
> Arguably this is no different than a long lived HTTP(S) connection from |
| 33 |
> the same client deep behind multiple NATs. |
| 34 |
> |
| 35 |
> There is no need for something in the middle to unwrap things. |
| 36 |
|
| 37 |
I'm trying to recall what I was thinking when I wrote this ... SSH reverse |
| 38 |
tunneling? Not sure. Outgoing VPN connections *should* work fine, incoming |
| 39 |
won't. |
| 40 |
|
| 41 |
|
| 42 |
> It almost sounds like you're talking about trying to do something from |
| 43 |
> one computer behind one or more NATs to another computer behind one or |
| 44 |
> more NATs on the far end. — That is a far more complex and |
| 45 |
> significantly different problem. |
| 46 |
|
| 47 |
I've tried that and couldn't get it to work - for reasons I explained below. |
| 48 |
|
| 49 |
|
| 50 |
> Most corporate VPN users are road warriors and connect from random IPs |
| 51 |
> to a static globally routed IP that is open to the world. |
| 52 |
> |
| 53 |
> > How will you be able to account for such a multi-NAT routing arrangement |
| 54 |
> > if (in tunnel rather than transport mode) the original entire IP datagram |
| 55 |
> > is encrypted and encapsulated? You'll need to decrypt it, take the |
| 56 |
> > payload and read its IP header before you know where to forward it to. |
| 57 |
> |
| 58 |
> Let me know if my comments above don't answer your question. |
| 59 |
> |
| 60 |
> > On single NAT you encapsulate the IPSec into UDP (NAT-Traversal), but |
| 61 |
> > on a double NAT what will you do? |
| 62 |
> |
| 63 |
> On the second NAT, you pass the UDP traffic from the first NAT. |
| 64 |
> |
| 65 |
> > I've never heard of double/triple NAT-T without port forwarding ... |
| 66 |
> |
| 67 |
> There is no specific need for port forwarding in any of the NATs when |
| 68 |
> the traffic is originated outbound from the innermost client going out |
| 69 |
> to a static globally routed IP. — Just like there's no need for it |
| 70 |
> when making an HTTPS request from the same client system. |
| 71 |
> |
| 72 |
> > Do you mean VPN within UDP within VPN? You'll need intermediate VPN |
| 73 |
> > gateways for this. |
| 74 |
> |
| 75 |
> No. L2TP and / or PPTP are notoriously flaky with NATs. But it's |
| 76 |
> usually possible to get a single L2TP / PPTP VPN to function behind a |
| 77 |
> NAT. This is because the NAT sees the L2TP or PPTP traffic and |
| 78 |
> associates it with a single VPN client behind the NAT. If (when) there |
| 79 |
> is a second VPN client of the same type, it breaks the association of |
| 80 |
> which internal client the traffic goes to. Thus it usually breaks / |
| 81 |
> prevents all such clients from working at the same time. |
| 82 |
|
| 83 |
Yes, in these cases you have to use different ports and set port forwarding |
| 84 |
per client. |
| 85 |
|
| 86 |
-- |
| 87 |
Regards, |
| 88 |
Mick |
Archives