On Wed, 2002-11-20 at 20:58, [EMAIL PROTECTED] wrote: > For those who are wondering: In IPsec automatic keying with IKE (Internet > Key Exchange), each peer has to have an identity. With X.509 certificates, > the ID is almost always the DN (Distinguished Name) of the certificate of > that peer. When using Pre-Shared Keys for authentication, though, the most > popular choice of ID is the peer's own IP address. Obviously, NAT is going > to mess with that. > > I've never tried it, but I imagine PSKs would still work with NAT if you > used aggressive mode and (e.g.) an FQDN ID. Anyone know?
I believe that (again, in theory), aggressive mode used in conjunction with oppertunistic encryption fixes the PSK through NAT problems. However, I have to say that I have done IPSec through NAT using PSK's and it works fine. IKE isn't the real trouble spot, usually. The real trouble is AH. If you're using ESP, then things should be fine (depending on the NAT implimentation). If you're using AH, you're dead in the water. In the AH spec, it clearly states that it cannot be NAT'd due to the nature of header munging. > > there could be some other issues involving ike-through-nat as well ... > > Oh, there are. This is all in theory. Everything works in theory. In > practice, NAT tends to screw up everything. :-) Just today, I was > trouble-shooting an IPsec-through-NAT configuration that appears to be > causing the FreeS/WAN node at the other end to think the NAT'ed node is > another network, instead of a single node. I haven't had a chance to figure > that one out yet. Someone forgot to comment out the "right/leftsubnet" maybe? C-Ya, Kenny -- ---------------------------------------------------------------------------- "Tact is just *not* saying true stuff" -- Cordelia Chase Kenneth E. Lussier Sr. Systems Administrator Zuken, USA PGP KeyID CB254DD0 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xCB254DD0 _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
