[VPN] ipsec and nat

[Siddhartha Jain]

Check for NAT support in FreeSWAN. IPSec usually does not work from behind a NAT because NAT fudges the packet headers while IPSec checks the packet headers for integrity. But IPSec product vendors support IPSec over NAT using TCP/UDP to carry IPSec traffic.

You could also look for an out of the box solution like a low-end PIX, Sonicwall or some other IPSec appliance. I am sure it would work out cheaper than the cost of the Linux server on which you plan to run FreeSWAN unless you are using some old PC (which IMHO is fine for FreeSWAN use) for that.

>From the FreeSWAN FAQ:
Does FreeS/WAN support NAT traversal?
Vanilla FreeS/WAN does not, but thanks to Mathieu Lafon and Arkoon Network Security, there's a patch to support this.

  a.. patch and documentation 
  b.. Super FreeS/WAN incorporates this and other user-contributed patches. 
The NAT traversal patch has some issues with PSKs, so you may wish to authenticate with RSA keys, or X.509 (requires a patch which is also included in Super FreeS/WAN). Doing the latter also has advantages when dealing with large numbers of clients who may be behind NAT; instead of having to make an individual Roadwarrior connection for each virtual IP, you can use the "rightsubnetwithin" parameter to specify a range. See these rightsubnetwithin instructions.

HTH,

Siddhartha - Muscat 23.36N 58.38E

  ----- Original Message ----- 
  From: freeswan 
  To: vpn at lists.shmoo.com 
  Sent: Friday, August 29, 2003 11:05 PM
  Subject: [VPN] ipsec and nat


  Hi everyone! 

   

  I have a little problem that I would need some help with.

   

  I wan´t to be able to setup the following.

   

  At the office in London we wan´t to install a super freeswan VPN gateway. 

   

  Users at the office in Stockholm wan´t access to London via the VPN gateway.

   

  In Stockholm we don't have a VPN gateway, and we don´t wan´t one. 

  We have a natted network with 3 client computers. And those 3 are running Windows XP and are going to have certificates installed issued by the London VPN gateway.

   

  We wan´t to be able to have all three clients simultaneously connected to London. 

  And this is the part im not sure how to setup. 

   

  So do anybody know how to connect these computers?

   

  Help is appreciated.

   

  Regards,

  Daniel



------------------------------------------------------------------------------


  _______________________________________________
  VPN mailing list
  VPN at lists.shmoo.com
  http://lists.shmoo.com/mailman/listinfo/vpn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030901/a50a4fb7/attachment.htm