[ previous ] [ next ] [ threads ]
 
 From:  Olivier Warin <daffy at xview dot net>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] m0n0wall, racoon and NAT Transversal
 Date:  Sat, 15 Oct 2005 01:03:20 +0200
I just want to underline of few things:
1) This patch will only works with IPSEC FreeBSD implementaiton not  
FAST_IPSEC.
2) Thus this patch got some limitations which will be fix in a near  
future, by syncing netbsd and freebsd kernel NAT-T support, this is  
not exclusive.
3) You will have to use ipsec-tools with it, the racoon project by  
itself is dead anyway.



> Wow.  Good find!   I will check this out and report back my findings.
>
> Scott
>
>
> On 10/13/05, Richard Adams <podilarius at yahoo dot com> wrote:
>
>> I found this in the ipsec-tools cvs. Appearantly this will "patch"  
>> files so
>> that you can add nat-t kernel support for FreeBSD. I hope this helps.
>>
>> http://cvs.sourceforge.net/viewcvs.py/ipsec-tools/htdocs/ 
>> freebsd_nat-t.diff?rev=1.4&sortby=date&view=log
>>
>> Scott Ullrich <sullrich at gmail dot com> wrote:
>> On 10/13/05, Richard Adams wrote:
>>
>>>
>>> I don't know if you guys did this by design, but I was searching for
>>>
>> racoon and found that it can to NAT Transversal. This is a compile  
>> time
>> option and can be found in the racoon.conf once it is compiled in.  
>> Here is
>> the excerpt from the racoon.conf man page.
>>
>>>
>>>
>>>
>>> nat_traversal (on | off | force);
>>>
>>> This directive enables use of the NAT-Traversal IPsec
>>>
>>> extension (NAT-T). NAT-T allows one or both peers to
>>>
>>> reside behind a NAT gateway (i.e., doing address- or
>>>
>>> port-translation). Presence of NAT gateways along the
>>>
>>> path is discovered during phase 1 handshake and if found,
>>>
>>> NAT-T is negotiated. When NAT-T is in charge, all ESP
>>>
>>> and AH packets of a given connection are encapsulated
>>>
>>> into UDP datagrams (port 4500, by default). Possible
>>>
>>> values are:
>>>
>>> on NAT-T is used when a NAT gateway is detected
>>>
>>> between the peers.
>>>
>>> off NAT-T is not proposed/accepted. This is the
>>>
>>> default.
>>>
>>> force NAT-T is used regardless if a NAT is detected
>>>
>>> between the peers or not.
>>>
>>> Please note that NAT-T support is a compile-time option.
>>>
>>> Although it is enabled in the source distribution by
>>>
>>> default, it may not be available in your particular
>>>
>>> build. In that case you will get a warning when using
>>>
>>> any NAT-T related config options.
>>>
>>>
>>>
>>> This is all that is missing for me to use m0n0wall. It is a  
>>> REALLY cool
>>>
>> product.
>>
>> The kernel also needs to support NAT-T. NetBSD currently has this
>> support but FreeBSD 4-6 does not. Until someone ports the NAT-T bits
>> from NetBSD this will not be doable on FreeBSD/m0n0wall.
>>
>> Scott
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
>>
>>
>>
>>  ________________________________
>>  Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
>
>

--
Olivier Warin
http://xview.net