tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPsec NAT-T to IPsec NAT-T

On 19/11/2013 1:23 AM, Michael Richardson wrote:
> Darren Reed <> wrote:
>     > This should work, shouldn't it?
> At the data layer, yes, but you have a policy problem:
>     > path pre_shared_key "/etc/ipsec-key.txt";
> pre-shared indexed by IP addresses are really hard to make sense of through
> NAT.  Remember that each end is sending it's ID as it's private IP, but the
> packets come from the public IP.  Looks like a MITM attack, because it is.
> Use RSA or use FQDNs to identify your machines, and your life will be much
> easier (on ikev1, you'll have to use aggressive mode)

Ok, so I've found this page that talks about RSA:

... but the problem here is that it is one sided: one end is the server and
the other is the client. I want to do symmetrical configuration where both
ends are peers and either end can bring up the tunnel.

I'll try FQDN...

> And, obviously, your NAT's need to have port 500/4500 plugged through on at
> least one end.

That has been taken care of.


Home | Main Index | Thread Index | Old Index