-----BEGIN PGP SIGNED MESSAGE----- On Tuesday 05 August 2003 15:01, Ollie Gallardo wrote: > Hello, > I was wondering if someone could point me to some documentation that > clearly describes the setup for the following scenario or a very similar > scenario. > > SoftRemote roadwarrior->NAT->Internet->FreeS/WAN gateway->Private Subnet > > The key for me here is that the road warrior is not linux and it's behind a > NAT router. I would like to have a FreeS/WAN gateway that that will allow > connections from any roadwarrior (with the proper credentials) behind any > NAT router or firewall that is allowing IPSec Passthrough. I've gone > through hours of searching and havn't found anything that clearly explains > it or gives me a 1 2 3... on how to do it. Any help would be appreciated.
Do you know what NAT-Traversal is? If not, here's a brief overview of the technology involved. http://www.infoworld.com/article/02/02/15/020218nenat_1.html So long as both IPsec devices are NAT-Traversal capable, they can bypass NAT without too much fuss. (They've also support the same drafts of *how* to do NAT-T...) Mathieur Lafon has provided a NAT-Traversal patch for FreeS/WAN. This is included in SuperFreeS/WAN. http://open-source.arkoon.net http://www.freeswan.ca The only catch is that your roadwarrior clients have to have NAT-Traversal capable clients. Microsoft recently made NAT-T patch available for the native win2k/winXP IPsec clients. http://support.microsoft.com/?kbid=818043 Okay, but let's say that you can't rely on NAT-Traversal for your roadwarriors, but you've got IPsec passthrough enabled on the various NAT'ting routers. This is still possible. http://lists.freeswan.org/pipermail/users/2002-August/013710.html http://jixen.tripod.com Simply speaking, the key is that the RW clients don't know their own, public IP address; they've got a non-routeble address, and will try to negotiate a tunnel using that private address. Basically, you've got to define Roadwarrior connections that allow for that IP address being "behind" the roadwarrior, eg: conn roadwarrior ... right=%any rightsubnet=192.168.0.50/32 # Frank's IP address behind his NAT box A pain, huh? You'd have to define individual connections for all your roadwarriors' private IP addresses, which can easily change. There's a way around this: you can use the "rightsubnetwithin" parameter provided by x.509 patched FreeS/WAN. http://www.strongsec.com/freeswan/install.htm#section_4.4 conn roadwarrior ... right=%any rightsubnetwithin=192.168.0.0/16 would allow your roadwarriors to connect when they have any non-routeable IP address in the 192.168 class B. As an aside, NAT-Traversal allows you define "virtual_private" in config setup; you can define all the non-routeable networks there in a single line: http://lists.freeswan.org/pipermail/users/2003-March/019234.html http://open-source.arkoon.net/freeswan/README.NAT-Traversal.0.6 This should allow you to define all the non-routeable network ranges allowed conveniently. (I believe this should work with non-NAT-Traversal capable clients as well.) - -- Sam Sgro [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: For the matching public key, finger the Reply-To: address. iQCVAwUBPzALLEOSC4btEQUtAQFUNgQAkct4sQY6Orwiqg+8GGPy3o+YOBKGwzwZ od7Blz0XkDu6oK9BZ8Zinq14/abRdgCtH3hX5VQ5QFLys6dkQMA0Mwj0GPSbfIhO a2o9o1dcwhgjLbQDDIsOSNPM6tSs0YGK91uauKMprDYkAM4IeSZDDqFncTbOtRa6 Q/Bsx2okChU= =wrXQ -----END PGP SIGNATURE----- _______________________________________________ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr
