Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
RE: [suse-security] FreeS/wan trough NATing Router
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Mon, 12 Aug 2002 10:48:37 +0200
  • Message-id: <96C102324EF9D411A49500306E06C8D1019890C5@xxxxxxxxxxxxxxxxx>
> 192.168.1.0/24 as Subnet1 -->
> 192.168.1.1 : 10.10.10.1 as FreeS/Wan Router 1-->
> 192.168.10.11 : ext.ip.addr.no1 as external router does nat -->
> INTERNET
>
> INTERNET <-- ext.ip.addr.no2 : 192.168.2.1 : as FreeS/Wan Router 2
> 192.168.2.0/24 as Subnet 2
>
> The error is ever the same:
>
> packet from ext.ip.addr.no1:xxx: initial Main Mode message received on
> ext.ip.addr.no2:500 but no connection has been authorized
>
> I think the problen is the router that does NAT because
> FreeS/Wan Router 1
> gots an privat IP that not routeable.

I agree with your conclusion. NAT and IPSec don't coexist very well. It's OK
if NAT is performed before IPSec (regarding an outbound packet here), but
NAT after IPSec has several problems:

* AH fails, because the address(es) in the IP header is/are modified,
* IKE fails, because the peers' IP addresses are part of their identities.

You may be able to get manually keyed ESP in tunnel mode to work, but that's
suboptimal from a management and security perspective. The other thing that
some people think of as a solution to this problem is called NAT traversal.
There's a patch to FreeS/WAN that enables it. It's pretty much a dirty hack,
if you ask me, much like NAT is a dirty hack, too.

Are you forced to have NAT take place on that outer router?

Another option would be to use a different tunneling protocol, such as CIPE.

Cheers,
Tobias

< Previous Next >