Re: [Shorewall-users] DNAT and UDP

2017-12-29 Thread Tuomo Soini
> Am I understanding correctly that Libreswan does -not- do NAT-T > properly? If so, is there some way to mitigate this? Libreswan does nat-t just fine. -- Tuomo Soini Foobar Linux services +358 40 5240030 Foobar Oy

Re: [Shorewall-users] DNAT and UDP

2017-12-28 Thread Colony.three via Shorewall-users
> As one of the Libreswan authors I'd note it's "Libreswan" - no capital > letters in the middle of the name, please. > > When suggesting manual keying, please note it is horribly insecure and should > not be used: > > https://tools.ietf.org/html/rfc8221#section-3 > > Tuomo Soini t...@foobar.fi

Re: [Shorewall-users] DNAT and UDP

2017-12-28 Thread Tuomo Soini
On Wed, 13 Dec 2017 12:44:55 -0500 Bill Shirley wrote: > I don't see that SSH tunneling or running IPSEC in a VM as a security > gain.  It would be very complex with multiple points of failure.  If > you don't trust the traffic from the other endpoint,

Re: [Shorewall-users] DNAT and UDP

2017-12-13 Thread cacook
On 12/13/2017 09:44 AM, Bill Shirley wrote: > I don't see that SSH tunneling or running IPSEC in a VM as a security > gain.  It > would be very complex with multiple points of failure.  If you don't > trust the traffic > from the other endpoint, filter it with Shorewall after it's > decrypted. 

Re: [Shorewall-users] DNAT and UDP

2017-12-13 Thread cacook
On 12/13/2017 08:55 AM, Tom Eastep wrote: > On 12/13/2017 08:47 AM, cac...@quantum-sci.com wrote: >> On 12/12/2017 03:22 PM, cac...@quantum-sci.com wrote: >>> I'm setting up IPSec (LibreSwan) to come into my router. (a CentOS VM) >>> >>> At 127.0.0.1 in the router are ports 500 and 4500 (which

Re: [Shorewall-users] DNAT and UDP

2017-12-13 Thread Tom Eastep
On 12/13/2017 08:47 AM, cac...@quantum-sci.com wrote: > On 12/12/2017 03:22 PM, cac...@quantum-sci.com wrote: >> >> I'm setting up IPSec (LibreSwan) to come into my router. (a CentOS VM) >> >> At 127.0.0.1 in the router are ports 500 and 4500 (which are reverse >> SSH tunneled from another

Re: [Shorewall-users] DNAT and UDP

2017-12-13 Thread cacook
On 12/12/2017 03:22 PM, cac...@quantum-sci.com wrote: > > I'm setting up IPSec (LibreSwan) to come into my router. (a CentOS VM) > > At 127.0.0.1 in the router are ports 500 and 4500 (which are reverse > SSH tunneled from another machine). > > Rather than flanging those ports directly to the

[Shorewall-users] DNAT and UDP

2017-12-12 Thread cacook
I'm setting up IPSec (LibreSwan) to come into my router. (a CentOS VM) At 127.0.0.1 in the router are ports 500 and 4500 (which are reverse SSH tunneled from another machine). Rather than flanging those ports directly to the outside interface in the router, I'm hoping for a little added