[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec client behind an OBSD router

Jolan Luff <jolan@cryptonomicon.org> wrote :
> It moved, sorry:
> http://www.cryptonomicon.org/notes/vpn_nat.html
Does this method work with all ESP mode : transport and tunnel mode ?
According to my knowledge, our method works only with ESP in transport mode
because with ESP Tunnel mode, the original IP header is authentificated with ESP
Trailer and the NAT equipment (here OpenBSD router) modifies IP header for NAT
==> failure in verification of original IP headers on the distant IPSec gateway :-(
In this case (ESP Tunnel mode), the NAT-Traversal IETF draft would be the
correct solution (encapsulation of ESP in UDP packets),see :
- http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-05.txt
- http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-06.txt
But at the present time, Isakmpd doesn't support this feature :-( Only Freeswan
with patch supports it in "the open-source world" (Linux...).
A++ Foxy.
Laurent Cheylus <foxy@free.fr> OpenPGP ID 0x5B766EC2