tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPsec NAT-T to IPsec NAT-T

If NAT gateway has no port forwarding rule, initiate packet is
not reached to responder, I think.

(2013/11/18 22:46), Darren Reed wrote:

Maybe I'm approaching the solution wrong or maybe not..

My goal is to get two NetBSD hosts, each behind a NAT gateway
to talk to each other using IPsec using NAT-T.

This should work, shouldn't it?

Darren

 From gateway 1, ipsec.conf:

spdadd 10.0.0.254/32 10.1.2.0/24 icmp
         -P out ipsec esp/tunnel/10.0.0.254-64.33.101.23/require;
spdadd 10.1.2.0/24 10.0.0.254/32 icmp
         -P in ipsec esp/tunnel/64.33.101.23-10.0.0.254/require;

spdadd 64.33.101.23/32 10.1.1.0/24 icmp
         -P in ipsec esp/tunnel/64.33.101.23-10.0.0.254/require;
spdadd 10.1.1.0/24 64.33.101.23/32 icmp
         -P out ipsec esp/tunnel/10.0.0.254-64.33.101.23/require;

spdadd 10.1.2.0/24 10.1.1.0/24 icmp
         -P in ipsec esp/tunnel/64.33.101.23[4500]-10.0.0.254[4500]/require;
spdadd 10.1.1.0/24 10.1.2.0/24 icmp
         -P out ipsec esp/tunnel/10.0.0.254[4500]-64.33.101.23[4500]/require;

and racoon.conf:

path pre_shared_key "/etc/ipsec-key.txt";

listen {
         isakmp_natt 10.0.0.254 [4500];
         isakmp 10.0.0.254 [500];
         strict_address;
}

remote anonymous
{
         exchange_mode main;
         lifetime time 24 hour;
         my_identifier address 10.0.0.254;
         peers_identifier address 64.33.101.23;
         ike_frag on;
         esp_frag 1440;
         initial_contact on;
         proposal_check claim;
         support_proxy on;
         nat_traversal force;
         proposal {
                 encryption_algorithm aes;
                 hash_algorithm sha1;
                 authentication_method pre_shared_key;
                 dh_group modp2048;
                 lifetime time 30 hours;
                 dh_group 2;
         }
         proposal_check obey;
}

sainfo anonymous
{
         pfs_group 2;
         encryption_algorithm aes;
         authentication_algorithm hmac_sha1;
         compression_algorithm deflate;
}

log debug;

mode_cfg {
         auth_source system;
         conf_source local;
         accounting none;
}

 From gateway 2, ipsec.conf:
spdadd 10.0.0.254/32 10.1.2.0/24 icmp
         -P out ipsec esp/tunnel/10.0.0.254-177.3.11.43/require;
spdadd 10.1.2.0/24 10.0.0.254/32 icmp
         -P in ipsec esp/tunnel/177.3.11.43-10.0.0.254/require;

spdadd 177.3.11.43/32 10.1.1.0/24 icmp
         -P in ipsec esp/tunnel/177.3.11.43-10.0.0.254/require;
spdadd 10.1.1.0/24 177.3.11.43/32 icmp
         -P out ipsec esp/tunnel/10.0.0.254-177.3.11.43/require;

spdadd 10.1.2.0/24 10.1.1.0/24 icmp
         -P in ipsec esp/tunnel/177.3.11.43[4500]-10.0.0.254[4500]/require;
spdadd 10.1.1.0/24 10.1.2.0/24 icmp
         -P out ipsec esp/tunnel/10.0.0.254[4500]-177.3.11.43[4500]/require;

and racoon.conf:
path pre_shared_key "/etc/ipsec-key.txt";

listen {
         isakmp_natt 10.0.0.254 [4500];
         isakmp 10.0.0.254 [500];
         strict_address;
}

remote anonymous
{
         exchange_mode main;
         lifetime time 24 hour;
         my_identifier address 10.0.0.254;
         peers_identifier address 177.3.11.43;
         ike_frag on;
         esp_frag 1440;
         initial_contact on;
         proposal_check claim;
         support_proxy on;
         nat_traversal force;
         proposal {
                 encryption_algorithm aes;
                 hash_algorithm sha1;
                 authentication_method pre_shared_key;
                 dh_group modp2048;
                 lifetime time 30 hours;
                 dh_group 2;
         }
         proposal_check obey;
}

sainfo anonymous
{
         pfs_group 2;
         encryption_algorithm aes;
         authentication_algorithm hmac_sha1;
         compression_algorithm deflate;
}

log debug;

mode_cfg {
         auth_source system;
         conf_source local;
         accounting none;
}
Home | Main Index | Thread Index | Old Index