From owner-freebsd-questions Fri Oct 11 14:43:43 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61C6437B401 for ; Fri, 11 Oct 2002 14:43:42 -0700 (PDT) Received: from notus.primus.ca (mail.tor.primus.ca [216.254.136.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 095E543E88 for ; Fri, 11 Oct 2002 14:43:42 -0700 (PDT) (envelope-from leth@primus.ca) Received: from dialin-153-145.tor.primus.ca ([216.254.153.145]) by notus.primus.ca with esmtp (Exim 3.33 #16) id 1807ZM-00053I-0A; Fri, 11 Oct 2002 17:43:41 -0400 Date: Fri, 11 Oct 2002 17:44:11 -0400 (EDT) From: Jason Hunt X-X-Sender: leth@lethargic.dyndns.org To: MrWebby Cc: freebsd-questions@freebsd.org Subject: Re: IPsec Tunneling (VPN) from WIN2K (client) to FreeBSD (Server) In-Reply-To: <3DA73754.8080103@bigfoot.com> Message-ID: <20021011172140.T59992-100000@lethargic.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have CC'd this message to the questions mailing list, for "archival" purposes, and because someone else might have more insight. My apologies if your message was intended to be private. Anyhow ... On Fri, 11 Oct 2002, MrWebby wrote: > This is really good stuff. Both of your assumptions were correct. I > failed to include details. But I will include them here just in case you > want to reply (again). For testing purposes, I have my laptop (client) > behind the same NAT/Gateway/Firewall as the server is in. That can > really create a problem. I was ignoring that all this time. Now, your > comments suggest that my laptop will be behind a NAT which makes sense. > I failed to realize that it will alter the packets. BUT since I'm trying > to setup IPsec in tunnel mode, wouldn't it matter if the client is > behind a firewall since tunnel mode will encrypt the whole packet and > not the IP header? > I am honestly not 100% sure, but my understanding of this is as follows: IPSec consists of two parts, Authentication Header (AH) and Encapsulation Security Payload (ESP). AH is for authenticating the identify of who the packet came from. ESP is for encrypting the packets that you are tunelling. The AH function is what causes IPSec servers/clients to not work properly behind NAT, since the packets will fail to authenticate. If you only use ESP (as opposed both ESP+AH), then IPSec should work behind NAT. I think I might be wrong however. Has anyone else ever tried this? I'll have look at this a bit more later, since I am on my way out. You might want to look around google for "IPSec NAT", and/or around www.kame.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message