On Wed, 20 Nov 2002, at 6:29am, [EMAIL PROTECTED] wrote: >> NAT and IPsec don't get along in three major ways: > > better make that four ... there is one case involving pre-shared keys and > nat'd connections that may be relevant here.
Oh, yeah, I forgot all about Pre-Shared Keys. (I avoid PSKs for anything but fixed network-to-network configurations, so I didn't even consider what would happen to them.) For those who are wondering: In IPsec automatic keying with IKE (Internet Key Exchange), each peer has to have an identity. With X.509 certificates, the ID is almost always the DN (Distinguished Name) of the certificate of that peer. When using Pre-Shared Keys for authentication, though, the most popular choice of ID is the peer's own IP address. Obviously, NAT is going to mess with that. I've never tried it, but I imagine PSKs would still work with NAT if you used aggressive mode and (e.g.) an FQDN ID. Anyone know? > there could be some other issues involving ike-through-nat as well ... Oh, there are. This is all in theory. Everything works in theory. In practice, NAT tends to screw up everything. :-) Just today, I was trouble-shooting an IPsec-through-NAT configuration that appears to be causing the FreeS/WAN node at the other end to think the NAT'ed node is another network, instead of a single node. I haven't had a chance to figure that one out yet. > fyi, unless i am mistaken while there may be some implementations that > claim 'nat-t' support i do not believe this is yet a standard, i think it > is still in draft status. Yes, it is still a draft, but it enjoys good industry support, and is fast approaching "de facto standard" status. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss