1 |
On Monday, 11 June 2018 17:47:16 BST Grant Taylor wrote: |
2 |
> On 06/11/2018 04:55 AM, Mick wrote: |
3 |
> > You'll need a trusted gateway to do the unwrapping and then forwarding |
4 |
> > to the next hop (SSH forwarding). If you attempt TCP-tunneling |
5 |
> > (TCP-over-TCP) you'll soon experience 'TCP meltdown' with upper and |
6 |
> > lower TCP layers' retransmission timeouts. |
7 |
> |
8 |
> I disagree. |
9 |
> |
10 |
> If I can establish an HTTPS (or other TCP connection to carry TLS |
11 |
> traffic) out through multiple layers of NAT (SOHO router + CGN + ???) to |
12 |
> a server with a globally routed IP address, I should be golden. |
13 |
> |
14 |
> NAT will do what it needs to with the internal IPs to establish the |
15 |
> connection from the deeply buried client out to the TLS VPN server. |
16 |
|
17 |
As I understand it, the CGN router will rewrite the IP headers and ports from/ |
18 |
to the SOHO router using PCP. This is not a TCP-over-TCP tunnel. |
19 |
|
20 |
|
21 |
> The connection will (extremely likely) be kept alive with various |
22 |
> different methods (TCP keep alive or VPN keep alive or pings through the |
23 |
> VPN) such that the upstream gateway can send data back to the client |
24 |
> through the established VPN. |
25 |
|
26 |
Outgoing connections will be OK, but to run a local server I believe you'll |
27 |
need to set up an external 'rendezvous server' to facilitate incoming |
28 |
connections, since the double NAT'ed local server will not have a public |
29 |
facing IP address. |
30 |
|
31 |
|
32 |
> Arguably this is no different than a long lived HTTP(S) connection from |
33 |
> the same client deep behind multiple NATs. |
34 |
> |
35 |
> There is no need for something in the middle to unwrap things. |
36 |
|
37 |
I'm trying to recall what I was thinking when I wrote this ... SSH reverse |
38 |
tunneling? Not sure. Outgoing VPN connections *should* work fine, incoming |
39 |
won't. |
40 |
|
41 |
|
42 |
> It almost sounds like you're talking about trying to do something from |
43 |
> one computer behind one or more NATs to another computer behind one or |
44 |
> more NATs on the far end. — That is a far more complex and |
45 |
> significantly different problem. |
46 |
|
47 |
I've tried that and couldn't get it to work - for reasons I explained below. |
48 |
|
49 |
|
50 |
> Most corporate VPN users are road warriors and connect from random IPs |
51 |
> to a static globally routed IP that is open to the world. |
52 |
> |
53 |
> > How will you be able to account for such a multi-NAT routing arrangement |
54 |
> > if (in tunnel rather than transport mode) the original entire IP datagram |
55 |
> > is encrypted and encapsulated? You'll need to decrypt it, take the |
56 |
> > payload and read its IP header before you know where to forward it to. |
57 |
> |
58 |
> Let me know if my comments above don't answer your question. |
59 |
> |
60 |
> > On single NAT you encapsulate the IPSec into UDP (NAT-Traversal), but |
61 |
> > on a double NAT what will you do? |
62 |
> |
63 |
> On the second NAT, you pass the UDP traffic from the first NAT. |
64 |
> |
65 |
> > I've never heard of double/triple NAT-T without port forwarding ... |
66 |
> |
67 |
> There is no specific need for port forwarding in any of the NATs when |
68 |
> the traffic is originated outbound from the innermost client going out |
69 |
> to a static globally routed IP. — Just like there's no need for it |
70 |
> when making an HTTPS request from the same client system. |
71 |
> |
72 |
> > Do you mean VPN within UDP within VPN? You'll need intermediate VPN |
73 |
> > gateways for this. |
74 |
> |
75 |
> No. L2TP and / or PPTP are notoriously flaky with NATs. But it's |
76 |
> usually possible to get a single L2TP / PPTP VPN to function behind a |
77 |
> NAT. This is because the NAT sees the L2TP or PPTP traffic and |
78 |
> associates it with a single VPN client behind the NAT. If (when) there |
79 |
> is a second VPN client of the same type, it breaks the association of |
80 |
> which internal client the traffic goes to. Thus it usually breaks / |
81 |
> prevents all such clients from working at the same time. |
82 |
|
83 |
Yes, in these cases you have to use different ports and set port forwarding |
84 |
per client. |
85 |
|
86 |
-- |
87 |
Regards, |
88 |
Mick |