I am a little confusing.
A(L2TP/IPSec VPN server ) ---- B(router) ------ (internet) ------- C(router) ------ D(client)
Can a L2TP/IPSec VPN server(A) behind NAT,serve clients(D) behind other different NATS?
Can the IKE message corrected be routed to the L2TP/IPSec VPN server behind NAT?
PS: I dont have any authority to change the B router's NAT configuration.
A & D can communicate with the same server who has a public IP address.
I got the answer myself
IKEv2 mediation has a solution for this kind of problem
http://www.strongswan.org/docs/LinuxTag2008-strongSwan.pdf
Basically you have the problem of hole punching, e.g. here .
In this way "strongSwan" p.13 above uses a Mediator Server, which prepares the routing from both endpoints (through their NAT) to the common public network and shares the public addresses/ports of opposite endpoints. So the end points can send messages immediately to each other. With asymmetric NAT this won't work in common. In any case there is no need to touch NAT.
Related
Given the following scenario:
Computer A connects to a public server from behind a firewall.
Computer B connects to the same public server from behind a firewall.
Now, is there any way for Computer A to talk directly to Computer B using those outbound connections without sending all data through the server?
Can the server link those connections somehow?
Two peers, talking to each other, using outbound connections instead of dealing with inbound firewall issues.
Possible, yes. Easy, no.
At least one of the firewalls needs to be updated to forward a port on the external IP to a port on the machine behind it. The other machine can then connect to that port to open a bidirectional TCP/IP connection.
To accomplish this, you can make use of UPnP on the firewall to accomplish "hole punching" or "NAT traversal".
Once the firewall port is open, you forward that port number over the public server and pass it along with the public IP address already known to the server along to the other machine. It can now create the connection.
I don't think that it can be achieved mate. Unless you have access to the public server network and create a route to direct incoming A directly to the B and vice versa.
Welcome to my first question on stack overflow.
I've looked around, and I haven't found this question asked yet. However, that may be because I don't know how to ask the question that I need answered.
THE INFORMATION:
I'm a programmer who left the public sector that had a, surprisingly, well-managed IT department that had all this crap working for me. I now work for a private company that needs a bit of network systems help.
We have:
A SQL Server
An Application Server
A File Server
A Web Server
multiple web services
team foundation server
share point services
5 desktops
all on our internal network.
We also have:
- No domain controller
- No Internal DNS / NAT / DHCP Server.
We're currently using a router for DHCP and Port Forwarding. We are getting a static IP assigned today.
THE QUESTION:
What do I need to setup in order to point our external domains / subdomains to our new static IP and have those requests routed (by the hostname used) to hit a specific server?
Current Configuration (Port Forwarding)
ourdomain.com:1234 -> router/port-forwarding -> SQL Server:1433
ourdomain.com:1235 -> router/port-forwarding -> Web Service 1:8081
ourdomain.com:1236 -> router/port-forwarding -> Web Service 2:8082
ourdomain.com:1237 -> router/port-forwarding -> Application Server:5410
What I think I want:
sql.ourdomain.com:80 -> ??? -> SQL Server:1433
svc1.ourdomain.com:80 -> ??? -> Web Service 1:80 (host: svc1.ourdomain.com)
svc2.ourdomain.com:80 -> ??? -> Web Service 2:80 (host: svc2.ourdomain.com)
app.ourdomain.com:80 -> ??? -> Application Server:5410
The (host: xxx) is where I would specify the host in the IIS website configuration.
There will be some instances where port-forwarding is necessary, but it's not ideal for every instance. I want to remember meaningful names, not arbitrary port numbers.
If what I'm asking here is completely ridiculous, well, thanks for reading. I'm just looking for some direction.
Thanks!
<edit>
12:01 am PDT 4/19/2012
Sorry, let me clarify a few things.
We only have a single static public IP address.
Assume that we can acquire / setup the necessary hardware / software to achieve this.
If what it comes down to is that we need to buy some enterprise level routing hardware, that's just what it takes. I know this has to be possible because at my last job, we had 40 or 50 domains all pointed to the same IP that routed to different servers once inside the internal network. :/ Or at least that's what happened to the best of my knowledge.
I actually called them up today and asked them, but the main dude who set it all up quit.
I'm really pushing for us to just get our crap out into the cloud, since no one wants to hire a network engineer or systems analyst, much less build a data center.
</edit>
An easy way that this could work if each subdomain resolves into different public ip addresses (e.g. if your DNS was configured such that sql.ourdomain.com resolves to 1.1.1.1 and svc1.ourdomain.com resolves to 1.1.1.2).
sql.ourdomain.com IN A 1.1.1.1
svc1.ourdomain.com IN A 1.1.1.2
Your router can only make decisions based on limited information contained inside of the ip packets. Commonly, routers can look at the ip or port information. In the case where your router is configured with port forwarding, the router looks at the port number and makes address translation decisions using that the port.
rule: incoming port 1000, forward to 192.168.1.100:1433
rule: incoming port 1001, forward to 192.168.1.101:80
However, if the port is the same, the router needs other information to decide how to perform the translation. Most low-end routers (e.g. Cisco ASA series, Juniper SRX series) can use the ip to make this address translation decision. The downside is that that you'll need to purchase multiple ip addresses from your ISP.
rule: incoming ip 1.1.1.1, forward to 192.168.1.100:1443
rule: incoming ip 1.1.1.2, forward to 192.168.1.101:80
IIS, which operates on a much higher layer on the network stack, can make this differentiation by looking at the HTTP headers. This works for multiplexing a single ip and single port to multiple websites. In this case, since SQL and your web server speak different protocols, you won't be able to leverage this.
Another technology that you may want to consider is IPsec tunneling (VPN) if your device supports IPsec passthrough. The downside is that your coworkers (who I assume are using this) needs to perform additional configuration.
I'm writing a P2P application. Peers regularly ping a main server to update their current IP/port, so when a peer wants to reach another one it can ask the server for that information. For now peers use UPnP to configure the NAT (for classic home setups) to be accessible from outside.
So everything works, except when a peer's client tries to reach another (or the same) peer's server and both are behind the same NAT. Since in that case the client is trying to reach its own "external" (public) IP address from behind the NAT, the NAT doesn't do the port forwarding and is unable to route the IP packet.
For now I'm thinking of two solutions:
query the NAT with UPnP to see to which local IP the port is forwarded
store on the main server the internal IPs of the peers
Can you think of other solutions? What strategies do mainstream P2P applications implement to solve this problem?
Since in that case the client is trying to reach its own "external"
(public) IP address from behind the NAT, the NAT doesn't do the port
forwarding and is unable to route the IP packet.
This is known as the hairpin condition. Not all router/NAT solve this properly. The solutions are:
a) Check whether your router/NAT can be configured to enable 'hairpining'. This solution works iff you control all router/NATs in your deployment.
b) Buy another router/node allowing this. Just like a), it works iff your control all router/NATs in your deployment.
c) If you can get obtain the port information for from UPnP, this is a solution too, but not all Router/NAT know or support UPnP. It does not cover for all cases in large deployment.
d) Using multicasting to 'discover' other nodes on the LAN and even communicate with them is a common solution to this problem. You need to agree on an IP address and have peers listen to it.
e) Storing the private IP address on the server is a solution too, but it requires more storage capacity on the server than solution d. There is a timeout (i.e., expiration of data validity) to handle too.
f) Use a TURN like communication between peers (i.e., communication between nodes pass through central server). This solution is rock solid, but not the most efficient in terms of bandwidth consumption.
Hope this helps.
Interactive Connectivity Establishment (ICE) was specifically developed for solving that type of NAT problems. It uses STUN and TURN to achieve the result and is used in modern p2p applications. (e.g. Voicechat)
The PJNATH library has a document explaining
unlike standalone STUN solution, it (ICE) solves the hairpinning issue, since it also offers host candidates.
now i am running a network available bandwidth project.Suppose i am testing the available bandwidth between my machine and planet1.scs.stanford.edu.
Now the problem i am faced with is that my machine is using a private address,say,172.18.186.200,the other end is using a public address,say 171.66.3.181.Once i ran the test,the receiver end(the remote machine assumed) could not receive ACK from the sender end(my local machine).
i know my publicly routed address, i guess it is about the NAT.So how to correctly specify my local address to successfully carry out the testing project ?
Thanks in advance !
The usual form of NAT (masquerading) doesn't allow inbound connections. To allow them, you would need to add another form of NAT, port redirection, which in common ADSL routers tends to be called "Port Forwarding", "Virtual Servers", or something similar. This way, you tell your ADSL routers to forward connections to its port X to some internal IP on port Y.
(Some protocols use several connections, e.g: FTP, H.323, and send the information about secondary connections on the primary connection. These protocols need special support in the NAT device).
The scenario is the following. I have two machines A and B:
A: Client (behind NAT)
B: Server (behind NAT)
I want B to be able to listen on any given port, so that A can send packets to B through that specific TCP port and receive any response. If both machines are not behind a NAT it is pretty straight foward process. However how do I make it work so that it works even when B is behind a router, without him having to go change the router configuration enable some port forwarding etc...
For example, how do peer-to-peer programs like torrent clients work without the user having anything to configure?
To answer the example of Peer to Peer programs, and in general: There is a technology called Universal Plug and Play which NAT routers can use to allow clients behind them to expose ports to the outside. That's what bittorrent clients can use so the other clients can directly connect to them.
An alternative to a proxy server is a match-making server. Instead of proxying all of the traffic, the match maker just negotiates until the peers can talk to each other. This involves finding the external public IPs of the peers and talking to each one so that the firewall/router knows that the peers wish to communicate.
This is called hole punching and it often has to be done by the match maker rather than the peers themselves. Once the hole are punched though, the match maker can tell the peers about each other and they can communicate directly.
You will have to either:
Set up port forwarding from the nat
gateway in front the server into the machine your server software is running, and have the client
connect to the IP address of that
gateway.
Create a proxy server sitting
inbetween the 2 nat gatewys so both
your server and client can connect
to that. Both your server and client
have to set up a connection to that
proxy which will mediate the data
between those 2 connections.
Hole punching is moderately well-understood for UDP communication, but it can be reliably used to set up peer-to-peer TCP streams as well. Here is the well detailed article on both TCP and UDP:
http://www.brynosaurus.com/pub/net/p2pnat/