Date: Wed, 16 Apr 2003 16:23:22 -0400 From: Brian Skrab <brian@quynh-and-brian.org> To: Gavin Grabias <gaving@enter.net> Cc: freebsd-questions@freebsd.org Subject: Re: IPSEC Message-ID: <200304161623.22773.brian@quynh-and-brian.org> In-Reply-To: <20030416095442.R55724@grabes2.enter.net> References: <20030416095442.R55724@grabes2.enter.net>
next in thread | previous in thread | raw e-mail | index | archive | help
It is my understanding that "standard" IPSec (tunnel mode or otherwise) will
not survive a NAT traversal due to the packet header being re-written during
the translation. If your router supports IPSec, you may be able to create an
IPSec tunnel between the external address of your router and Server A,
assuming that the IPSec implementations on Router and Server A play nicely
with one another.
If you're concerned about traffic between Computer A and your Router, you can
configure an IPSec tunnel between them as well.
[IPSec Tunnel] [ IPSec Tunnel ]
Computer A ============ (Router) ======= (INTERNET) ======= Server A
This setup assumes that your router is trustworthy, as traffic to/from
Computer A will not be protected during NAT'ing. This setup can be
especially useful if Computer A lives on a wireless LAN.
If your IPSec tunnel _must_ traverse a NAT, you may want to look into an IEEE
draft that proposes the encapsulation of IPSec ESP traffic within a standard
UDP packet, which is transmitted to, and routed through an intelligent IKE
daemon. There is a patch to the Linux FreeS/WAN VPN
(http://www.freeswan.org/) implementation that is reported to support the
scenario that you describe. I have not done any reasearch into such a patch
for FreeBSD as the scenario above has always suited my needs. In addition to
the FreeS/WAN documentation, this article gives a good overview of a proposed
IPSec->NAT traversal solution, though it does not mention any specific
implementations:
http://www.isp-planet.com/technology/2001/ipsec_nat.html
Hope this helps.
~brian
On Wednesday 16 April 2003 10:00 am, Gavin Grabias wrote:
> Hi,
> I have a question regarding an IPSEC configuration. I am not really sure
> how this would work, it almost seems in between tunnel, and transport
> mode.
>
> Network:
>
> Computer A -------------- (Router) -----------( INTERNET ) ------ Server A
> (192.168.0.2) (192.168.0.1) (216.193.1.1) (6.6.6.6)
>
> What I want to do is use IPSEC between Computer A and Server A. I am just
> confused about how it would work given that I don't have 2 distinct LANs
> that I am trying to interconnect. I doubt transport mode would work given
> the NAT taking place. Can anyone give me any pointers? Every example I
> see doesn't seem to attempt this.
>
>
> Thanks
> Gavin
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200304161623.22773.brian>