tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: IPsec NAT-T to IPsec NAT-T
Darren Reed <darrenr%netbsd.org@localhost> wrote:
> This should work, shouldn't it?
At the data layer, yes, but you have a policy problem:
> path pre_shared_key "/etc/ipsec-key.txt";
pre-shared indexed by IP addresses are really hard to make sense of through
NAT. Remember that each end is sending it's ID as it's private IP, but the
packets come from the public IP. Looks like a MITM attack, because it is.
Use RSA or use FQDNs to identify your machines, and your life will be much
easier (on ikev1, you'll have to use aggressive mode)
And, obviously, your NAT's need to have port 500/4500 plugged through on at
least one end.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr%sandelman.ca@localhost http://www.sandelman.ca/ | ruby on
rails [
Home |
Main Index |
Thread Index |
Old Index