Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
RE: [suse-security] FreeS/wan trough NATing Router
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Mon, 12 Aug 2002 11:19:58 +0200
  • Message-id: <96C102324EF9D411A49500306E06C8D1019890CA@xxxxxxxxxxxxxxxxx>
Re

> >You may be able to get manually keyed ESP in tunnel mode to work, but
> that's
> >suboptimal from a management and security perspective.
>
> Saw websites that recommend this configuration, but it wont
> work for me as
> well.

If it's worked for someone else, you may want to dig into it.

> Yep, this could be the solution. Already found this NAT-T patch. Any
> experiences ???

Sorry, no. There's an article at SANS about NAT-T, a Google search for 'nat
traversal ipsec peace agreement' should make it top of the list. It's got a
couple of obvious errors (that any QA would have found), but it gets the
message across. Oh, you need to register to be allowed access to their
'reading room'.

Bottom line is that NAT-T works for outbound connections and protocols that
don't need any special treatment, such as FTP, RPC, etc.. It seems to me
that you can't place NAT-T devices in a head-to-head configuration, but I
may be wrong here.

> >Are you forced to have NAT take place on that outer router?
>
> ??? Its not my router and they had enabled NTA as a kind of
> "security" :O)

NAT isn't a security feature, IMnsHO.

> PS: I read something about your secunet on tickers. freeS/wan
> ipsec for the
> certified by RegTP boxes ?
> Nice !

Disclaimer: I work for secunet. None of what I say necessarily reflect my
employer's opinions, policy, whatever. I do not mean to abuse this list for
advertising.

Yeah, that'd be our SINA box. It is pretty good security-wise, if I say so
myself (see disclaimer).

Cheers,
Tobias

< Previous Next >