Date: Sat, 20 Jul 2002 10:29:55 -0400 From: Barney Wolff <barney@tp.databus.com> To: Alessandro de Manzano <adm@unixmania.net> Cc: net@FreeBSD.ORG Subject: Re: IPSec NAT Traversal ? Message-ID: <20020720142955.GA6536@tp.databus.com> In-Reply-To: <20020720134609.A41761@libero.sunshine.ale> References: <20020720134609.A41761@libero.sunshine.ale>
next in thread | previous in thread | raw e-mail | index | archive | help
The general case, where there are multiple IPsec speakers behind multiple NATs, is what's not possible without special not-yet-standard effort. But a single IPsec speaker behind a client NAT on one side works fine. I routinely talk IPsec using the Nortel Contivity client on W2K to "a major financial institution" through my FBSD router/firewall/NAT, and it works fine. The only snag was that natd's keepalive timeouts are not adjustable, and rather than fiddle with the code I just run a slow ping from my W2K to the other side to keep the NAT state from being flushed. Tcpdump verifies that it really is ESP that's being sent and received. AH would be another story, but is not used by the Nortel stuff, and probably not by others either. On Sat, Jul 20, 2002 at 01:46:09PM +0200, Alessandro de Manzano wrote: > > I would setup an IPSec VPN between my home network and company's one. > On both ends I've FreeBSD 4.x servers. > > On server side I've a bunch of public static IP addresses and on client > (home) side I've an ADSL connection with one static IP address. > > Such IP is assigned to the router which also is NATting the traffic, as > usual. > > This situation is not IPSec compatible, but I've been told that SSH > Inc. sell a "NAT Traversal Toolkit" compatbile with IPSec VPNs. > > Its whitepaper tells this NAT-T solution is an IETF draft > (draft-stenberg-ipsec-nat-traversal-02 , Feb 2001) so I wonder if there > already are some free, public alternatives to the SSH Inc. ones... -- Barney Wolff I never met a computer I didn't like. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020720142955.GA6536>