Date: Fri, 11 Oct 2002 17:44:11 -0400 (EDT) From: Jason Hunt <leth@primus.ca> To: MrWebby <mrwebby@bigfoot.com> Cc: freebsd-questions@freebsd.org Subject: Re: IPsec Tunneling (VPN) from WIN2K (client) to FreeBSD (Server) Message-ID: <20021011172140.T59992-100000@lethargic.dyndns.org> In-Reply-To: <3DA73754.8080103@bigfoot.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I have CC'd this message to the questions mailing list, for "archival" purposes, and because someone else might have more insight. My apologies if your message was intended to be private. Anyhow ... On Fri, 11 Oct 2002, MrWebby wrote: > This is really good stuff. Both of your assumptions were correct. I > failed to include details. But I will include them here just in case you > want to reply (again). For testing purposes, I have my laptop (client) > behind the same NAT/Gateway/Firewall as the server is in. That can > really create a problem. I was ignoring that all this time. Now, your > comments suggest that my laptop will be behind a NAT which makes sense. > I failed to realize that it will alter the packets. BUT since I'm trying > to setup IPsec in tunnel mode, wouldn't it matter if the client is > behind a firewall since tunnel mode will encrypt the whole packet and > not the IP header? > I am honestly not 100% sure, but my understanding of this is as follows: IPSec consists of two parts, Authentication Header (AH) and Encapsulation Security Payload (ESP). AH is for authenticating the identify of who the packet came from. ESP is for encrypting the packets that you are tunelling. The AH function is what causes IPSec servers/clients to not work properly behind NAT, since the packets will fail to authenticate. If you only use ESP (as opposed both ESP+AH), then IPSec should work behind NAT. I think I might be wrong however. Has anyone else ever tried this? I'll have look at this a bit more later, since I am on my way out. You might want to look around google for "IPSec NAT", and/or around www.kame.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021011172140.T59992-100000>