From owner-freebsd-net Fri Oct 18 6:41:26 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B419C37B406 for ; Fri, 18 Oct 2002 06:41:25 -0700 (PDT) Received: from hottub.hottub.org (hottub.org [66.60.164.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5023F43E8A for ; Fri, 18 Oct 2002 06:41:25 -0700 (PDT) (envelope-from matt@hottub.org) Received: by hottub.hottub.org (Postfix, from userid 1100) id BE1EC213BF; Fri, 18 Oct 2002 06:39:51 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hottub.hottub.org (Postfix) with ESMTP id B7A97213BB for ; Fri, 18 Oct 2002 06:39:51 -0700 (PDT) Date: Fri, 18 Oct 2002 06:39:51 -0700 (PDT) From: Matthew Zahorik X-X-Sender: matt@hottub To: freebsd-net@freebsd.org Subject: Re: IPSEC/NAT issues In-Reply-To: <20021018002729.T66900-100000@mail.allcaps.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 18 Oct 2002, Andrew P. Lentvorski wrote: > You cannot NAT an IPSEC packet. NAT rewrites the IP headers and the > packet will get rejected when it reaches the other IPSEC node. Not exactly true. I use a Windows Nortel Contivity client behind NAT just fine. If you're using an AH association (header authentication) that will not pass through NAT. I'm sure someone on this list may come up with a fancy trick for FreeBSD, but generally the statement is true. AH detects the NAT changes as header corruption. But if you're only using ESP (encryption of payload) that will work fine. Most turn on both AH and ESP by default, but that isn't always the case as in the Nortel boxes. On another note, I'd *love* to use my FreeBSD NAT box as a VPN tunnel endpoint rather than my windows boxes. It's a dynamic IP, so it's catch-22 right now. I can't create a tunnel or SPD policy entry before I know the IP addresses, and IKE/racoon can't start without those things. So, if someone happens to be ripping the IPsec processing apart, something to eliminate this catch-22 would be nice (: (spd entries pointing to an unconfigured or dummy tunnel, for example) Thanks! - Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message