Re: [Users] FreeSWAN behind Cisco NAT router?

From: Ken Bantoft (ken_at_freeswan.ca)
Date: Sat Jan 11 2003 - 13:43:15 CET

• Next message: Alessandro: "[Users] Re:Vpn Server (no connection has been authorized)! (with BARF output)"
• Previous message: Ken Bantoft: "Re: [Users] Multipath routing with Freeswan, possible?"
• In reply to: David C. Churchill: "[Users] FreeSWAN behind Cisco NAT router?"
• Next in thread: David C. Churchill: "RE: [Users] FreeSWAN behind Cisco NAT router?"
• Reply: David C. Churchill: "RE: [Users] FreeSWAN behind Cisco NAT router?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 10 Jan 2003, David C. Churchill wrote:

> I was wondering if I can install a FreeSWAN gateway behind a Cisco 1604
> router with NAT enabled. If so, will I need the NAT-T patch? If I want
> Windows 2K road warrior to connect will I need the X509 patch? What about a
> gateway to gateway VPN when both Gateways are behind NAT devices? Obviously
> I'm a complete newbie to VPN, thanks for your help.
> David

You could, thought NAT is evil. You'd have to port forward udp/500 and
protocol 50 to the FreeS/WAN box. If the Cisco supports some form of
IPSec Passthru, that might make your life simpler.

Win2K road warriors using Markus's ipsec.exe can't do NAT-T. You'd need
SSH Sentinel to do that.

FreeS/WAN with both gateways behind NAT devices is tricky, but not
impossible. If both devices are the same, it's much simpler since you can
enable IP Passthru on both, or setup some port forwarding rules that match
on both sides. It'll be ugly, but there have been several reports of
success doing this with various devices. You still have to do the port
forwarding, and depending on how smart/dumb the NAT boxes are, you may or
may not need the NAT-T patches.

- --
Ken Bantoft The Unoffical FreeS/WAN Site:
ken_at_freeswan.ca http://www.freeswan.ca
                           PGP Key: finger ken_at_bantoft.org
"The obvious mathematical breakthrough would be development
of an easy way to factor large prime numbers."
                    -- Bill Gates from The Road Ahead, p265

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPiARZliWUusaxGxpAQHmdgP+OniMaIj13SSAWQVb44xsOPcCq38/Nnmw
s+0NvflenCdrjdT8KIlLbvrSLIKE72/LwEYNRIAi40pX2BkZf4DGZSspoiiqJD/+
pGyP4hBJfnl0FP8+90a9o55jwQUwsakZbzwZVqMBs6QcUOkyimlouakYi4S49OVQ
CMG449c42tM=
=o8jd
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Alessandro: "[Users] Re:Vpn Server (no connection has been authorized)! (with BARF output)"
• Previous message: Ken Bantoft: "Re: [Users] Multipath routing with Freeswan, possible?"
• In reply to: David C. Churchill: "[Users] FreeSWAN behind Cisco NAT router?"
• Next in thread: David C. Churchill: "RE: [Users] FreeSWAN behind Cisco NAT router?"
• Reply: David C. Churchill: "RE: [Users] FreeSWAN behind Cisco NAT router?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Sun Jan 12 2003 - 05:21:07 CET