[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is NAT traversal with OpenBSD IPsec possible?

To: "'Stephen J Bevan'" <stephen@etunnels.com>
Subject: Re: Is NAT traversal with OpenBSD IPsec possible?
From: "Henning Riis Rasmussen" <hrr@indbakke.dk>
Date: Fri, 21 Jun 2002 18:43:18 +0200
Cc: <misc@openbsd.org>

Hi Stephen,

Thanks a lot for your input!

I'm not particularly tied to OpenBSD. In fact I have tried to find a
solution based on linux+FreeS/WAN, but have had some trouble making it work.
So I wanted to see if OpenBSD had something to offer.

I guess the NAT traversal patch to FreeS/WAN is the most promising avenue
right now (with commercial IPsec software for the clients), though I'm not
too happy to read that NAT-T won't support FTP and LDAP
(http://rr.sans.org/encryption/NAT2.php), and the NAT-T patch for FreeS/WAN
seems a little immature.

Regards,
Henning

-----Original Message-----
From: Stephen J Bevan [mailto:stephen@etunnels.com]
Sent: 21. juni 2002 18:25
To: Henning Riis Rasmussen
Subject: Is NAT traversal with OpenBSD IPsec possible?

Henning Riis Rasmussen writes:
 > I'm currently researching the use of OpenBSD as an IPsec gateway.
 >
 > Is it possible to make the following work:
 >
 > Client with IPsec software --->
 >      (static IP) NAT (dynamic IP) --->
 >             (static IP) OpenBSD (LAN) ??
 >
 > The client needs to access the LAN on the other side of the OpenBSD
 > through an IPsec tunnel using the built-in support for IPsec in OpenBSD:
 >
 > The client could be anything from Win98 to WinXP.
 >
 > The NAT will typically be some sort of source Port and source IP
 > translation done by DSL routers (Cisco or some other).
 >
 > Can the OpenBSD IPsec implementation handle this kind of NAT'ing?

Not that I'm aware of, however ...

* If there is only one client behind the NAT then some NAT boxes will
  route the IPsec packets back correctly.

* If the NAT box and it supports some sort of IPsec tracking
  (e.g. Linux+iptables and OpenBSD+pf do for example) then that will
  work too and if the SPI values are unique you can even have multiple
  IPsec clients behind the same NAT box.

* If you are not tied to using OpenBSD to protect the LAN and your
  your client IPsec machines support NAT traversal then you could
  use a Linux running FreeS/WAN with the NAT traversal patch to
  protect your LAN.

* If you prefer to stick with OpenBSD but don't mind buying a
  commercial solution then there are vendors who can provide an
  OpenBSD based firewall/router/IPsec-gateway that you can load onto a
  PC of your choice along with Windows clients, all of which can cope
  with machines behind NAT/PAT.

Prev by Date: DivX movies and 3.1?
Next by Date: Re: FW: Remote Apache 1.3.x Exploit
Prev by thread: Re: Asante nge(4) does not talk on i386.
Next by thread: Encrypt
Index(es):
- Date
- Thread