Re: IPsec NAT-T to IPsec NAT-T

To: Darren Reed <darrenr%netbsd.org@localhost>
Subject: Re: IPsec NAT-T to IPsec NAT-T
From: Michael Richardson <mcr%sandelman.ca@localhost>
Date: Mon, 18 Nov 2013 09:23:35 -0500

Darren Reed <darrenr%netbsd.org@localhost> wrote:
    > This should work, shouldn't it?

At the data layer, yes, but you have a policy problem:

    > path pre_shared_key "/etc/ipsec-key.txt";

pre-shared indexed by IP addresses are really hard to make sense of through
NAT.  Remember that each end is sending it's ID as it's private IP, but the
packets come from the public IP.  Looks like a MITM attack, because it is.

Use RSA or use FQDNs to identify your machines, and your life will be much
easier (on ikev1, you'll have to use aggressive mode)

And, obviously, your NAT's need to have port 500/4500 plugged through on at
least one end.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr%sandelman.ca@localhost  http://www.sandelman.ca/        |   ruby on 
rails    [

Follow-Ups:
- Re: IPsec NAT-T to IPsec NAT-T
  - From: Darren Reed

References:
- IPsec vs ssh
  - From: Darren Reed
- IPsec NAT-T to IPsec NAT-T
  - From: Darren Reed

Prev by Date: IPsec NAT-T to IPsec NAT-T
Next by Date: bridge(4) learning
Previous by Thread: IPsec NAT-T to IPsec NAT-T
Next by Thread: Re: IPsec NAT-T to IPsec NAT-T
Indexes:

Home | Main Index | Thread Index | Old Index