--nextPart26529232.d5FaXS24k7
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Briefly, yes. I use IPSEC to connect home from hotels using NAT regularly o=
n=20
business trips. Often, I must go through more than one layer of NAT.

On Wednesday 20 April 2005 10:52 am, you wrote:
> Howdy NetBSD people,
>
> My home box serves a number of functions for me (IMAP, SMTP, file
> service, etc.), and I'd like to be able to reach these services from
> my laptop while I'm on the road.  Configuring firewall holes, access
> controls and encryption for each service individually looks to be an
> unscalable mess, and so I think I'd like to try encrypting all traffic
> between my laptop and my home box's public IP address with IPsec while
> I'm away from home.  I think I understand the basics of how IPsec is
> to be set up (at least I think I understand the contents of the NetBSD
> IPsec FAQ).  My problem is that normally my laptop is behind a NAT
> layer that I have no control over while I'm away from home, and so I
> believe I need to use some kind of IP-over-IP tunnelling between the
> laptop and the home box.  So my questions are these:
>
> (1) Can typical NAT devices pass the encapsulating packets through?

Yes.

> (2) If so, how does one set up a tunnel between a box on some private
>     address space (e.g., 192.168.x.x), through the NAT device to some
>     address in the public IP space, without touching the NAT box's
>     routing?  I can't tell the differences, for example, between gif
>     and gre, but I also can't figure out how to set up a tunnel
>     through a NAT device with either of them.

gif works well. If it's still there, FreeBSD has a HOWTO on setting this up.

> (3) If I'm wrong about needing some kind of IP-over-IP tunnelling, is
>     there some way to use IPsec through NAT with ipv4?

I actually use NAT-T (running OpenBSD on a Soekris box/IPSEC gateway).

=2D-=20
John R. Shannon, CISSP
Sr. Software Scientist
Science Applications International Corporation
john.r.shannon@saic.com
john.r.shannon@us.army.mil
john@johnrshannon.com

--nextPart26529232.d5FaXS24k7
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIDrTCCA6kw
ggMSoAMCAQICEBn8ah8qR+o8XD7FUqezlGwwDQYJKoZIhvcNAQEFBQAwgYExCzAJBgNVBAYTAlVT
MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RPRDEMMAoGA1UECxMDUEtJMRMw
EQYDVQQLEwpDb250cmFjdG9yMQ8wDQYDVQQLEwZJRUNBLTMxFjAUBgNVBAMTDVZlcmlTaWduIElF
Q0EwHhcNMDUwMzIzMDAwMDAwWhcNMDYwMzIzMjM1OTU5WjCBqDELMAkGA1UEBhMCVVMxGDAWBgNV
BAoUD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxQDRE9EMQwwCgYDVQQLFANQS0kxEzARBgNVBAsU
CkNvbnRyYWN0b3IxDzANBgNVBAsUBklFQ0EtMzEcMBoGA1UECxQTQ29tcGFueSBOYW1lIC0gU0FJ
QzEfMB0GA1UEAxMWSm9obiBTaGFubm9uMTAwMDIxMzQ3MTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAq/zcQ77g3HBFpDzcKOw0iq7ICW6wJRCT6YA3DgUa9ECAZol+xxBf7ulsN143W9/p9/RX
HkfqhCLdm7z0d4ssnS8Cm2NWRtOKWH13FtMknTngbMSvUIlttOLbykrImwmVj8YFbAFkUbSQjmKU
2/pAMepK2StpjX6/xnNmMbGcbgsCAwEAAaOB+DCB9TAMBgNVHRMBAf8EAjAAMFsGA1UdHwRUMFIw
UKBOoEyGSmh0dHA6Ly9vbnNpdGVjcmwudmVyaXNpZ24uY29tL1VTR292ZXJubWVudERPRElFQ0Ez
RzJJZGVudGl0eS9MYXRlc3RDUkwuY3JsMCAGA1UdEQQZMBeBFWpvaG5Aam9obnJzaGFubm9uLmNv
bTAOBgNVHQ8BAf8EBAMCBsAwFgYDVR0gBA8wDTALBglghkgBZQIBCwUwHQYDVR0OBBYEFH2Dj+RW
rmQep1irQMU+KYQbLb0qMB8GA1UdIwQYMBaAFJcxvuhnyE9Ugyc8S4g+EBZkRKOZMA0GCSqGSIb3
DQEBBQUAA4GBABGJr9NrZVa+baTKF42CzUvVfGmynfktRpy9+z0AOhYFwyw/SALgFbHhsjn5GhkQ
aJnx7onzv9mecDLgYnQG+qgUGEiK9TlwL5NFwJyk5KC5ZtcJeLd39JxWLNkqA35s4RKe8h4ZX9Fv
fkzOPfPVOzP8UN8Pgdx6FojKd4LpKrp/MYIBxzCCAcMCAQEwgZYwgYExCzAJBgNVBAYTAlVTMRgw
FgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RPRDEMMAoGA1UECxMDUEtJMRMwEQYD
VQQLEwpDb250cmFjdG9yMQ8wDQYDVQQLEwZJRUNBLTMxFjAUBgNVBAMTDVZlcmlTaWduIElFQ0EC
EBn8ah8qR+o8XD7FUqezlGwwBwYFKw4DAhqggYswGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
BgkqhkiG9w0BCQUxDxcNMDUwNDIwMTcxMzQyWjAjBgkqhkiG9w0BCQQxFgQUE3+1TJzNE+Q2+x20
JSWLVxfulM0wLAYJKoZIhvcNAQkPMR8wHTANBglghkgBZQMEAQIFADAMBggqhkiG9w0DBwUAMAsG
CSqGSIb3DQEBAQSBgH6bb9Daeb0k2DZ9BRI+A3S1mD3ug3inhFEmz9lbPJTuTYSIiT66E+DId/Iq
AHgpR+B2LVyDF/VFK3QoyCeoL99jB8th3XphLFTZw/tKlypUvR9bMW/coSTfnKid413gQzntA78g
DhQbYMwf3VfxqSHONwrnp5GgT5X3HpwCJ/vQAAAAAAAA

--nextPart26529232.d5FaXS24k7--