[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Is NAT traversal with OpenBSD IPsec possible?
Thanks a lot for your input!
I'm not particularly tied to OpenBSD. In fact I have tried to find a
solution based on linux+FreeS/WAN, but have had some trouble making it work.
So I wanted to see if OpenBSD had something to offer.
I guess the NAT traversal patch to FreeS/WAN is the most promising avenue
right now (with commercial IPsec software for the clients), though I'm not
too happy to read that NAT-T won't support FTP and LDAP
(http://rr.sans.org/encryption/NAT2.php), and the NAT-T patch for FreeS/WAN
seems a little immature.
From: Stephen J Bevan [mailto:email@example.com]
Sent: 21. juni 2002 18:25
To: Henning Riis Rasmussen
Subject: Is NAT traversal with OpenBSD IPsec possible?
Henning Riis Rasmussen writes:
> I'm currently researching the use of OpenBSD as an IPsec gateway.
> Is it possible to make the following work:
> Client with IPsec software --->
> (static IP) NAT (dynamic IP) --->
> (static IP) OpenBSD (LAN) ??
> The client needs to access the LAN on the other side of the OpenBSD
> through an IPsec tunnel using the built-in support for IPsec in OpenBSD:
> The client could be anything from Win98 to WinXP.
> The NAT will typically be some sort of source Port and source IP
> translation done by DSL routers (Cisco or some other).
> Can the OpenBSD IPsec implementation handle this kind of NAT'ing?
Not that I'm aware of, however ...
* If there is only one client behind the NAT then some NAT boxes will
route the IPsec packets back correctly.
* If the NAT box and it supports some sort of IPsec tracking
(e.g. Linux+iptables and OpenBSD+pf do for example) then that will
work too and if the SPI values are unique you can even have multiple
IPsec clients behind the same NAT box.
* If you are not tied to using OpenBSD to protect the LAN and your
your client IPsec machines support NAT traversal then you could
use a Linux running FreeS/WAN with the NAT traversal patch to
protect your LAN.
* If you prefer to stick with OpenBSD but don't mind buying a
commercial solution then there are vendors who can provide an
OpenBSD based firewall/router/IPsec-gateway that you can load onto a
PC of your choice along with Windows clients, all of which can cope
with machines behind NAT/PAT.