Re: IPsec NAT-T to IPsec NAT-T

To: Michael Richardson <mcr%sandelman.ca@localhost>
Subject: Re: IPsec NAT-T to IPsec NAT-T
From: Darren Reed <darrenr%netbsd.org@localhost>
Date: Sun, 24 Nov 2013 23:35:27 +1100

On 19/11/2013 1:23 AM, Michael Richardson wrote:
> Darren Reed <darrenr%netbsd.org@localhost> wrote:
>     > This should work, shouldn't it?
> 
> At the data layer, yes, but you have a policy problem:
> 
>     > path pre_shared_key "/etc/ipsec-key.txt";
> 
> pre-shared indexed by IP addresses are really hard to make sense of through
> NAT.  Remember that each end is sending it's ID as it's private IP, but the
> packets come from the public IP.  Looks like a MITM attack, because it is.
> 
> Use RSA or use FQDNs to identify your machines, and your life will be much
> easier (on ikev1, you'll have to use aggressive mode)

Ok, so I've found this page that talks about RSA:
http://gradew.net/?page_id=212&lang=en

... but the problem here is that it is one sided: one end is the server and
the other is the client. I want to do symmetrical configuration where both
ends are peers and either end can bring up the tunnel.

I'll try FQDN...

> And, obviously, your NAT's need to have port 500/4500 plugged through on at
> least one end.

That has been taken care of.

Darren

References:
- IPsec vs ssh
  - From: Darren Reed
- IPsec NAT-T to IPsec NAT-T
  - From: Darren Reed
- Re: IPsec NAT-T to IPsec NAT-T
  - From: Michael Richardson

Prev by Date: Re: IPsec NAT-T to IPsec NAT-T
Next by Date: Re: cubic patch
Previous by Thread: Re: IPsec NAT-T to IPsec NAT-T
Next by Thread: Re: IPsec NAT-T to IPsec NAT-T
Indexes:

Home | Main Index | Thread Index | Old Index