Mike's questions

I'm trying to work with another party to set up a site-to-site IPsec VPN between us and them. We are behind NAT, so need their Cisco (ASA 5510 on IOS 9.1.7) to match on our IKE id (key-id in Cisco parlance). The problem is the other party has said that they can only enable key-id on a global level, not on a tunnel-level, so they aren't able to do so due to impacting other VPNs.

Is this correct, key-id matching is an all or nothing thing? If enabled it's used for all tunnels, not just the ones that require it? The only literature I've found on it is from Cisco itself and does seem to imply a global scope, but I'm not an expert in Cisco config hence this question.

To change the peer identification method, enter the following command:

crypto isakmp identity {address | hostname | key-id id-string | auto}

Are there any other alternatives to get an IPsec tunnel correctly matching when we are NAT'd? We are restricted to IPsec and IKEv1 using PSK. Certificates aren't an option unfortunately.

I have a 2 devices, a Cisco ASA and sitting behind it another device. Both the Cisco and the other device have IPsec tunnels but to different locations. I need to ensure that the source port of the other device is not UDP-500 when it is NAT'd, as that is the same port as the Cisco IPsec service and so we see a problem where reply packets destined for the other device instead hit the ASA.

According to Cisco's FAQ on NAT (http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html) it preserves the port where possible by default based on "Q. When configuring for PAT (overloading), what is the maximum number of translations that can be created per inside global IP address?"

Question: How can I force all PAT mappings to use source ports > 1024?

Alternatively, How can I force the ASA to ignore IPsec packets from a specific IP address and just treat them like normal NAT'd packets and forward them back to the internal device?

On linux iptables I would use something like: iptables -t nat -A POSTROUTING -o eth0 -p udp -j SNAT --to-source x.x.x.x:1024-30000

I'm looking at a multi-site deployment where each of the remote locations has an IPSec VPN back into the data centre. I'm trying to find an easy way for support staff to provide access to the remote locations, yet do so securely.

Broadly speaking: staff from group A should only have access to group A's equipment, and staff from group B should only have access to group B's equipment. It's possible for both groups to have their equipment in a single location (think group A manages servers, group B manages IP CCTV systems). Each group has their own dedicated subnet that they will be connecting from, e.g. Group A might have 10.0.0.0/24 and Group B 10.0.1.0/24.

Creating explicit rules for hundreds of machines feels overly tedious. There's got to be a better way than listing each individual machine a user can connect into. My thought was this: Within each location, dedicate a portion of it to a given group. So 10.x.x.1-15 could be Group A's equipment, and 10.x.x.x.16-31 could be Group B's, etc...

Now the iptables question part: Is it possible to have just 2 rules on the data centre side to match this, irrespective of the number of remote locations? One that matches e.g. 10.x.x.1-15 and one that matches 16-31?

If not, is there another approach that I should be looking into?

Edit: I suppose I could use ipsets, which will reduce the number of rules even though I still have the overhead of managing the sets.

Let me preface this by saying that I have a bit of a strange network.

LAN 1 router: 10.0.0.254/24, Internet via DSL on 10.0.0.254. LAN 2 router: 172.16.2.254/24, default gateway: 10.0.0.254 (LAN 2 is a private link to another location, which uses our feed for Internet)

The router at LAN 2 unfortunately NAT's all traffic from 172.16.2.0/24. I can't change this router - NAT cannot be disabled.

Assuming the only router I have control over is LAN 1 (it's a linux box): How can I log usage (destination IP+Port) against a user? I used to associate users by MAC address, but with this other router now the original MAC will be obscured - likewise the original IP is lost.

I haven't seen any evidence that 802.1X authentication works on anything but the network layer, so that also appears to be out.

The only option that appears left to me is to use a SOCKS proxy and require all clients configure themselves to use that, however that too has its pitfalls (limited client support, only handles TCP and UDP, increases CPU utilization on the router).

Is there anything I have missed? How can I approach this problem?

Is it possible to assign VLANs on Linux based on the MAC address of the client? If so, how? The vconfig man pages seem to indicate it only operates on a port-basis.

I'm trying to achieve a wireless setup where new clients are assigned to a 'unapproved' vlan which they will stay in until an administrator has approved them (or perhaps until they've registered on a local captive portal) at which point I wish to re-assign them to the 'approved' vlan.

How can I configure a MAC:VLAN ID mapping under linux, if it exists?

I've got a livebox at a site that needs to have an IPSec site-to-site vpn back into the head office. I can't figure out how to forward / bridge all ipsec (ESP, UDP 500) traffic to the vpn router that I have sitting behind the livebox LAN.

What is the correct way to pass through ipsec traffic (or all traffic if need be) from the livebox to the vpn router. The livebox can't be replaced with another device as unfortunately the site uses its voip functionality.