[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT-T stability ?

Am Freitag 27 August 2004 04:56 schrieb Dave Harrison:


> I need to be able to pass IPSec packets through my OpenBSD firewall to a
> FreeSWan box in my DMZ.  Since this would require NAT-T, and I
> understand that NAT-T is new to the src tree, I was wondering if anyone
> was using it and if they had had successes/problems with it ?

Let me get this straighter than it already is: You use your OpenBSD box to act 
as a firewall and your Linux box as a VPN gateway? And now you'd like to use 
OpenBSDs NAT-T functionality to pass the VPN traffic to the linux box?

NAT-T is encapsulation of IPsec packets within UDP (or TCP) packets. So your 
VPN gateways have to support this. All your firewall has to do is provide a 
good packet filter to NAT those packets from and to the VPN gateway and that 
is it. If memory serves right, then you just have to enable udp/500 and your 
good to go.

Regards, Stephan

PGP key: http://www.tesch.cx/stephan.asc
Fingerprint: 9CF9 0D64 2957 B44D A0C8
             35FE 0382 AE49 DFAB 9CAF