From: Ewan_at_searchspace.com
Date: Wed Oct 09 2002 - 12:26:56 CEST
Hi.
Ihsan Turkmen writes:
> As far as I know, because of the nature of ESP packets, it is difficult ,
> maybe impossible as well, to place an IPSec gateway behind a NAT device.
Technically this isn't quite true. As long as the NAT router will
forward the ESP packets, an IPSec connection will run quite happily
through NAT. What's more of a problem is the UDP packets used by IKE -
they are expected to have 500 as both the source and destination ports.
Most NAT gateways are really NAPT gateways which will often change the
source port on IKE packets, causing some IPSec implementations -
including Freeswan - to reject them. I hit that problem when I tried to
run a connection like this:
PGPNet --- NAPT --- Internet --- Freeswan
Router Gateway
Putting the IPSec gateway behind a NAPT device turned out to be the
solution to the problem, rather than the cause of it!
PGPNet --- NAPT --- Internet --- Linux NAPT --- Freeswan
Router Router Gateway
As well as translating the IP addresses, the linux NAPT box also
translates the source port on incoming IKE packets back to 500 to keep
Freeswan happy.
There are a few limitations though: this setup doesn't support AH, can't
support more than one PGPnet system behind the same NAPT gateway and all
connections must be initiated from the PGPnet end, though for my
circumstances none of these limitations was a problem.
On the whole, I'd advise using NAT Traversal or tunneling if possible.
But if it's not possible, somthing like the above may be a possible work
around.
Rgds
Ewan Bhamrah Harley
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Thu Oct 10 2002 - 05:20:24 CEST