From owner-freebsd-net Sat Jul 20 7:30: 1 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC87C37B400 for ; Sat, 20 Jul 2002 07:29:56 -0700 (PDT) Received: from tp.databus.com (p70-227.acedsl.com [66.114.70.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27F5543E31 for ; Sat, 20 Jul 2002 07:29:56 -0700 (PDT) (envelope-from barney@databus.com) Received: from databus.com (localhost.databus.com [127.0.0.1]) by tp.databus.com (8.12.5/8.12.5) with ESMTP id g6KETtvG006672; Sat, 20 Jul 2002 10:29:55 -0400 (EDT) (envelope-from barney@databus.com) Received: (from barney@localhost) by databus.com (8.12.5/8.12.5/Submit) id g6KETtIk006671; Sat, 20 Jul 2002 10:29:55 -0400 (EDT) Date: Sat, 20 Jul 2002 10:29:55 -0400 From: Barney Wolff To: Alessandro de Manzano Cc: net@FreeBSD.ORG Subject: Re: IPSec NAT Traversal ? Message-ID: <20020720142955.GA6536@tp.databus.com> References: <20020720134609.A41761@libero.sunshine.ale> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020720134609.A41761@libero.sunshine.ale> User-Agent: Mutt/1.4i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The general case, where there are multiple IPsec speakers behind multiple NATs, is what's not possible without special not-yet-standard effort. But a single IPsec speaker behind a client NAT on one side works fine. I routinely talk IPsec using the Nortel Contivity client on W2K to "a major financial institution" through my FBSD router/firewall/NAT, and it works fine. The only snag was that natd's keepalive timeouts are not adjustable, and rather than fiddle with the code I just run a slow ping from my W2K to the other side to keep the NAT state from being flushed. Tcpdump verifies that it really is ESP that's being sent and received. AH would be another story, but is not used by the Nortel stuff, and probably not by others either. On Sat, Jul 20, 2002 at 01:46:09PM +0200, Alessandro de Manzano wrote: > > I would setup an IPSec VPN between my home network and company's one. > On both ends I've FreeBSD 4.x servers. > > On server side I've a bunch of public static IP addresses and on client > (home) side I've an ADSL connection with one static IP address. > > Such IP is assigned to the router which also is NATting the traffic, as > usual. > > This situation is not IPSec compatible, but I've been told that SSH > Inc. sell a "NAT Traversal Toolkit" compatbile with IPSec VPNs. > > Its whitepaper tells this NAT-T solution is an IETF draft > (draft-stenberg-ipsec-nat-traversal-02 , Feb 2001) so I wonder if there > already are some free, public alternatives to the SSH Inc. ones... -- Barney Wolff I never met a computer I didn't like. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message