Date: Wed, 16 Apr 2003 16:23:22 -0400 From: Brian Skrab <brian@quynh-and-brian.org> To: Gavin Grabias <gaving@enter.net> Cc: freebsd-questions@freebsd.org Subject: Re: IPSEC Message-ID: <200304161623.22773.brian@quynh-and-brian.org> In-Reply-To: <20030416095442.R55724@grabes2.enter.net> References: <20030416095442.R55724@grabes2.enter.net>
next in thread | previous in thread | raw e-mail | index | archive | help
It is my understanding that "standard" IPSec (tunnel mode or otherwise) will not survive a NAT traversal due to the packet header being re-written during the translation. If your router supports IPSec, you may be able to create an IPSec tunnel between the external address of your router and Server A, assuming that the IPSec implementations on Router and Server A play nicely with one another. If you're concerned about traffic between Computer A and your Router, you can configure an IPSec tunnel between them as well. [IPSec Tunnel] [ IPSec Tunnel ] Computer A ============ (Router) ======= (INTERNET) ======= Server A This setup assumes that your router is trustworthy, as traffic to/from Computer A will not be protected during NAT'ing. This setup can be especially useful if Computer A lives on a wireless LAN. If your IPSec tunnel _must_ traverse a NAT, you may want to look into an IEEE draft that proposes the encapsulation of IPSec ESP traffic within a standard UDP packet, which is transmitted to, and routed through an intelligent IKE daemon. There is a patch to the Linux FreeS/WAN VPN (http://www.freeswan.org/) implementation that is reported to support the scenario that you describe. I have not done any reasearch into such a patch for FreeBSD as the scenario above has always suited my needs. In addition to the FreeS/WAN documentation, this article gives a good overview of a proposed IPSec->NAT traversal solution, though it does not mention any specific implementations: http://www.isp-planet.com/technology/2001/ipsec_nat.html Hope this helps. ~brian On Wednesday 16 April 2003 10:00 am, Gavin Grabias wrote: > Hi, > I have a question regarding an IPSEC configuration. I am not really sure > how this would work, it almost seems in between tunnel, and transport > mode. > > Network: > > Computer A -------------- (Router) -----------( INTERNET ) ------ Server A > (192.168.0.2) (192.168.0.1) (216.193.1.1) (6.6.6.6) > > What I want to do is use IPSEC between Computer A and Server A. I am just > confused about how it would work given that I don't have 2 distinct LANs > that I am trying to interconnect. I doubt transport mode would work given > the NAT taking place. Can anyone give me any pointers? Every example I > see doesn't seem to attempt this. > > > Thanks > Gavin > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200304161623.22773.brian>