[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: IPsec NAT-T to IPsec NAT-T
On 19/11/2013 1:23 AM, Michael Richardson wrote:
> Darren Reed <darrenr%netbsd.org@localhost> wrote:
> > This should work, shouldn't it?
> At the data layer, yes, but you have a policy problem:
> > path pre_shared_key "/etc/ipsec-key.txt";
> pre-shared indexed by IP addresses are really hard to make sense of through
> NAT. Remember that each end is sending it's ID as it's private IP, but the
> packets come from the public IP. Looks like a MITM attack, because it is.
> Use RSA or use FQDNs to identify your machines, and your life will be much
> easier (on ikev1, you'll have to use aggressive mode)
Ok, so I've found this page that talks about RSA:
... but the problem here is that it is one sided: one end is the server and
the other is the client. I want to do symmetrical configuration where both
ends are peers and either end can bring up the tunnel.
I'll try FQDN...
> And, obviously, your NAT's need to have port 500/4500 plugged through on at
> least one end.
That has been taken care of.
Main Index |
Thread Index |