From owner-freebsd-questions@FreeBSD.ORG Wed Apr 16 13:23:42 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2466037B401 for ; Wed, 16 Apr 2003 13:23:42 -0700 (PDT) Received: from quynh-and-brian.org (h-69-3-155-2.MCLNVA23.covad.net [69.3.155.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FE1143FBD for ; Wed, 16 Apr 2003 13:23:39 -0700 (PDT) (envelope-from brian@quynh-and-brian.org) Received: (qmail 33842 invoked from network); 16 Apr 2003 20:23:37 -0000 Received: from localhost.us.net (HELO localhost.aymanllc.com) ([127.0.0.1]) (envelope-sender ) by localhost.us.net (qmail-ldap-1.03) with SMTP for ; 16 Apr 2003 20:23:37 -0000 From: Brian Skrab To: Gavin Grabias Date: Wed, 16 Apr 2003 16:23:22 -0400 User-Agent: KMail/1.5 References: <20030416095442.R55724@grabes2.enter.net> In-Reply-To: <20030416095442.R55724@grabes2.enter.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200304161623.22773.brian@quynh-and-brian.org> cc: freebsd-questions@freebsd.org Subject: Re: IPSEC X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2003 20:23:42 -0000 It is my understanding that "standard" IPSec (tunnel mode or otherwise) will not survive a NAT traversal due to the packet header being re-written during the translation. If your router supports IPSec, you may be able to create an IPSec tunnel between the external address of your router and Server A, assuming that the IPSec implementations on Router and Server A play nicely with one another. If you're concerned about traffic between Computer A and your Router, you can configure an IPSec tunnel between them as well. [IPSec Tunnel] [ IPSec Tunnel ] Computer A ============ (Router) ======= (INTERNET) ======= Server A This setup assumes that your router is trustworthy, as traffic to/from Computer A will not be protected during NAT'ing. This setup can be especially useful if Computer A lives on a wireless LAN. If your IPSec tunnel _must_ traverse a NAT, you may want to look into an IEEE draft that proposes the encapsulation of IPSec ESP traffic within a standard UDP packet, which is transmitted to, and routed through an intelligent IKE daemon. There is a patch to the Linux FreeS/WAN VPN (http://www.freeswan.org/) implementation that is reported to support the scenario that you describe. I have not done any reasearch into such a patch for FreeBSD as the scenario above has always suited my needs. In addition to the FreeS/WAN documentation, this article gives a good overview of a proposed IPSec->NAT traversal solution, though it does not mention any specific implementations: http://www.isp-planet.com/technology/2001/ipsec_nat.html Hope this helps. ~brian On Wednesday 16 April 2003 10:00 am, Gavin Grabias wrote: > Hi, > I have a question regarding an IPSEC configuration. I am not really sure > how this would work, it almost seems in between tunnel, and transport > mode. > > Network: > > Computer A -------------- (Router) -----------( INTERNET ) ------ Server A > (192.168.0.2) (192.168.0.1) (216.193.1.1) (6.6.6.6) > > What I want to do is use IPSEC between Computer A and Server A. I am just > confused about how it would work given that I don't have 2 distinct LANs > that I am trying to interconnect. I doubt transport mode would work given > the NAT taking place. Can anyone give me any pointers? Every example I > see doesn't seem to attempt this. > > > Thanks > Gavin > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"