8.5. Possible Issues

Below are some possible issues that you may face when building IPSec connections.

8.5.1. What if your SmallWall is not the main Internet Firewall?

In some cases you have a firewall or router with layer 2 routing (protocol ACLs) sitting in front of your SmallWall. If this is the case you will need to port forward ESP or AH (depending on which one you chose) to the SmallWall. (NOTE: if you are running NAT on that firewall AH will not be an option.)

NAT-T traversal is supported. This allows all ESP packets to be encapsulated in UDP packets using port 4500. Allowing and redirecting UDP 500 traffic (used for IKE authentication in phase 1) and UDP 4500 (NAT-T encapsulated data packets in phase 2) allows the SmallWall to be placed behind another firewall.

Figure 8.1. Example: SmallWall behind a router

Example: SmallWall behind a router

8.5.2. Additional Questions

Below are some more issues that you may face when building IPSec connections.

8.5.2.1. What if I have a Dynamic DNS name?
8.5.2.2. What happens when I change my IPSec configuration?
8.5.2.3. Can a single IPsec tunnel support non-contiguous subnets?
8.5.2.4. Can I use NAT on a subnet that is on the other side of an IPsec connection?
8.5.2.5. Can fragmented packets pass through an IPsec connection?
8.5.2.6. What happens when an IPsec connection is restarted with a new IP address?
8.5.2.7. When are IPsec connections opened?
8.5.2.8. Can I use the Cisco IPsec client to connect to SmallWall?
8.5.2.9. Can I route any traffic over my IPsec connection?
8.5.2.10. Can I forward IP broadcasts over an IPsec VPN?

8.5.2.1.

What if I have a Dynamic DNS name?

Some users have an IP address that changes regularly, The changing IP address can be on either the SmallWall device or the remote IPSec VPN client. For example a dialup account, DSL Internet modem or simply moving a laptop computer from one wireless hotspot to another all can cause IP addresses that change. While the changing IP address does not affect normal Internet usage, it will break IPSec tunnels that are configured to use a specific DNS name or IP address.

A dynamic DNS name will allow you to keep the same name and can be used with SmallWall. SmallWall supports domain names on both sides.

8.5.2.2.

What happens when I change my IPSec configuration?

Any changes to your IPSec configuration will cause all IPSec tunnels to be closed when the changes are applied.

8.5.2.3.

Can a single IPsec tunnel support non-contiguous subnets?

Not at this time. The only way to achieve this would be to have multiple IPsec connections for each subnet.

8.5.2.4.

Can I use NAT on a subnet that is on the other side of an IPsec connection?

Not at this time. This would be useful if 2 or more networks use the same subnet and are trying to communicate with each other over an IPsec connection.

8.5.2.5.

Can fragmented packets pass through an IPsec connection?

By default, fragmented packets are not allowed to be encrypted. This default can be changed in the System > Advanced > Miscellaneous menu by checking the "Allow fragmented IPsec packets" box. When activated, this will cause SmallWall to allow fragmented IP packets that are encapsulated in IPsec ESP packets.

8.5.2.6.

What happens when an IPsec connection is restarted with a new IP address?

By default, if several Security Associations (SAs) match, the newest one is preferred if it's at least 30 seconds old. This default can be changed in the System > Advanced > Miscellaneous menu by checking the "Prefer old IPsec SAs" When activated, this option always prefers old SAs over new ones.

8.5.2.7.

When are IPsec connections opened?

When traffic is attempting to reach a network or IP address that is configured to be on a remote IPsec connection, SmallWall will attempt to build the connection.

8.5.2.8.

Can I use the Cisco IPsec client to connect to SmallWall?

It won't work. It's not the same kind of IPsec client required by SmallWall. However some users have reported success when using the NAT-T feature. (i.. encapsulating encrypted traffic in UDP packets)

8.5.2.9.

Can I route any traffic over my IPsec connection?

Part of the IPsec configuration identifies local and remote networks. IP addresses that are outside of those networks are not authorized to travel through an IPsec connection. This means that if you have additional routed networks connected to your LAN, they may not be able to traverse the IPsec connection because they do not originate from the LAN itself.

If you have an additional network or subnet that you want to travel through IPsec you can make additional tunnels or optionally put a NAT device between the LAN network and the other subnets so that traffic from the additional network will appear to be coming from the authorized network.

8.5.2.10.

Can I forward IP broadcasts over an IPsec VPN?

Not with IPsec. Broadcasts don't cross broadcast domains. In the case of a VPN link, each network is its own broadcast domain. Normally you don't want to connect broadcast domains because most networks have more broadcast traffic than you want to push over a VPN connection.