[ previous ] [ next ] [ threads ]
 
 From:  "Simon Buob" <simon dot buob at lan dot ch>
 To:  "Nicolai Scheer" <scope at planetavent dot de>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPSEC and NAT-T
 Date:  Thu, 9 Mar 2006 23:09:32 +0100 
Hello Nico

I give it another Try.

>Setup a) is what I did not manage to get running. Why is nat-t needed here?
>Is setup a) possible with m0n0 1.21?

Nat Traversal is necessary für IP Sec to work with NAT - and the actual
M0n0wall with
FreeBSD 4.x does not support NAT-T as mentioned.

>Which client? The roadwarrior, or some client behind a m0n0wall trying
>to connect to some remote vpn-gateway?

The Client which wants to access the VPN Endpoint of the M0n0wall. NO matter
if this Client is behind a Monowall or another Router. 
Both VPN Peers negotiate the NAT Traversal with each other. If one doesnt
support
NAT-T the connection will fail. Both sides must support NAT-T

>Homenet - m0n0 - internet - nat-router - roadwarrior

NO possible cause both Routers MUST support NAT-T - M0n0 doesn not.
in other words. The Problem is not if the VPN Endpoint is on m0n0 or
a host behind it. If there is at least one NAT Device both endpoints must
support NAT-T.

If the Road Warrior wants to initiate the VPN Connection the NAT Router will
modify the IPSec Packet and the Integritx Check will fail, as there is built
a
Checksum ( also with IP Adressinformation - which was manipulated by nat).
with NAT-T the IPSec Packet is encapsulated in a UDP Packet and the
Manipulation
of the adress Information by Nat does not touch the Ipsec Packet.

Hope this could help ya a little bit




Bye Simon

-----Original Message-----
From: Nicolai Scheer [mailto:scope at planetavent dot de] 
Sent: Thursday, March 09, 2006 9:56 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] IPSEC and NAT-T

Hi!

I think, I did not understand the ipsec nat-t issue correctly...

Let us assume the following configurations:

a)

Homenet - m0n0 - internet - nat-router - roadwarrior

and

b)

Homenet with 3rd party vpngw - m0n0 - internet - nat-router - roadwarrior

To my mind, nat-t is needed in setup b) where the roadwarrior tries to
connect to a vpn-gateway behind m0n0wall.

Setup a) is what I did not manage to get running. Why is nat-t needed here?
Is setup a) possible with m0n0 1.21?

The documentation says

"m0n0wall does not support NAT-Traversal (NAT-T) for IPsec, which means
if any of your client machines are behind NAT, IPsec VPN will not work."

Which client? The roadwarrior, or some client behind a m0n0wall trying
to connect to some remote vpn-gateway?

Hopefully someone can enlighten me :)

Thanks in advance,

Nico
smime.p7s (5.9 KB, application/x-pkcs7-signature)