|
|
On Monday 29 April 2002 9:50 pm, Harald Welte wrote:
> On Mon, Apr 29, 2002 at 02:59:53PM -0400, Eric B Kiser wrote:
> > Let me pose this question anew...
> >
> > Are there any required modifications, other than just /not/ restricting
> > the required ports, to be able to pass IPsec traffic when using your
> > Linux system as a router and performing NAT.
From my experience of using IPsec with Netfilter + NAT, you can do tunnel
mode IPsec, but you can't do transport mode IPsec.
Basically, in tunnel mode IPsec, the entire packet from source to destination
is encrypted and encapsulated inside a new packet (which can be NATted if you
want), therefore so long as the original inner packet gets to the other end,
it can be decrypted and dealt with.
However, in transport mode, the checksum covers the source / destination
addresses, and the packet is not encapsulated inside a new one, so any NAT
process which changes the source or destination addresses will break the
checksum (unless you do some *very* clever and tricky fiddling around at oth
ends to make the NAT invisible to IPsec).
In my experience, the trick to getting tunnel-mode IPsec to work through NAT
is to tell each machine its own genuine IP address, and to tell it the
routable address of the other end (even if that gets NATted somewhere along
the line), so that each knows who itself is, and knows the address to reach
the other end at.
Hope this helps,
Antony.
|
|