[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPsec passthrough



i recently switched from a RH Linux box (kernel 2.4.3-12) using iptables to
nat and firewall our internal network and connect to the internet.  switched
to openbsd 2.9 using ipf and ipnat, got it all functioning and happy using
the faqs, but now must turn to the lists for something i couldn't find
covered in them.

from a client on my internal net, i previously (through the RH box) could
establish an IPSec tunnel to an external ipsec gateway (a nortel contivity)
even though nat is supposed to break ipsec (or the AH portion of it anyway).
i could only do this from one machine at a time, and i've heard it referred
to as IPSec-passthru, where for one particular NATed host, the gateway
machine will pass the packets through with certain udp headers unmodified
(or some such nonsense), so that the packets aren't dropped at the secure
gateway (which NATed packets usually are since they've been mangled).  some
small SOHO dual ethernet routers also support this 
(http://www.netgear.com/categories.asp?xrp=4&yrp=12 and
http://www.linksys.com/products/group.asp?grid=5).

any way to introduce this feature or make it work through the OpenBSD box?
i'd really rather not go back to RH.  I realize AH causes NATed packets to
be dropped for a good reason (mangled packets of unverifiable origins), but
supporting passthru shouldn't be a security concern for those boxes through
which the packets are passing.