From owner-freebsd-questions@FreeBSD.ORG Sun Jan 23 16:00:58 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F0D216A4CE for ; Sun, 23 Jan 2005 16:00:58 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEBB143D1D for ; Sun, 23 Jan 2005 16:00:57 +0000 (GMT) (envelope-from j65nko@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so258926wra for ; Sun, 23 Jan 2005 08:00:57 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=dpnhcw+NhHQ7JhqoXUwUUcOzAco+VqRk+hEqnNn8Z1mfxPnftgOqROVmzbhsCzed+FAlSdL0bimoRAvngXYiK+IT0Jgdo/5tcAp4gKnCMLe0/iuWbMtqzTDXF4kbrUQO40/trL0HfU393UxQFcaNCnOBcU0YJduU1S7AeHzUKOs= Received: by 10.54.22.15 with SMTP id 15mr170852wrv; Sun, 23 Jan 2005 08:00:57 -0800 (PST) Received: by 10.54.37.40 with HTTP; Sun, 23 Jan 2005 08:00:56 -0800 (PST) Message-ID: <19861fba05012308005d38fe04@mail.gmail.com> Date: Sun, 23 Jan 2005 17:00:56 +0100 From: J65nko BSD To: Erik Norgaard In-Reply-To: <41F3ACA6.6010002@locolomo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <41F39CE7.7040209@locolomo.org> <19861fba050123053644f383f7@mail.gmail.com> <41F3ACA6.6010002@locolomo.org> cc: FreeBSD Questions Subject: Re: IPSec without AH X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: J65nko BSD List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Jan 2005 16:00:58 -0000 On Sun, 23 Jan 2005 14:54:46 +0100, Erik Norgaard wrote: > J65nko BSD wrote: > >>Due to the problems of IPSec with NAT I was thinking if it is posible to > >>setup IPSec without Authenticated Headers? Does anyone know of a howto? > > > The AH (Authenticated Header) protocol cannot be used with NAT, NAT > > modifies the header of packets, while AH is supposed to protect that > > header from being modified. Another IPSEC protocol ESP (Encrypted > > Security Payload), both authenticates and encrypts, and thus has no > > problem with NAT traversal. > > Thanks, AFAIK, ESP and AH are used in conjunction in IPSec, ESP for > encrypting the packet payload, and AH for authentication. ESP in it self > does not provide authentication, but only encrypts the payload - hence > the names :-) > > Since ESP only encrypts the payload, as you say, ESP has no problem with > NAT, whereas AH appends a signed checksum of the header. And since NAT > alters the header, verifying the AH fails. > > Ofcourse, it requires access to the (public?) keys to create valid > encrypted packets. Hence, if the public key is kept as a shared secret > among the authorized users, one could assume that ESP packets are > authenticated/trusted. > > This is my idea, discard AH, rely on ESP and assume that anyone capable > of producing decryptable packets must have access to the pre-shared > secret "public" key and hence authorized. Your are not the first to have this idea. The authors of "Secure Architectures with OpenBSD" already published this ;) > AH would work, if both ends were NATaware, such that the rigth src/dst > ip could be inserted in the header before checking. It just occured to > me that maybe this could be done by adding yet another IP/IP tunnel? > > Cheers, Erik OpenBSD 3.6 supports NAT traversal. From http://openbsd.org/36.html: "isakmpd(8) now supports NAT-traversal and Dead Peer Detection (RFC 3706)." Don't know how ling it would take to before this is supported by FreeBSD ;) =Adriaan=