On 21 Nov 2002, at 8:30am, [EMAIL PROTECTED] wrote: > However, I have to say that I have done IPSec through NAT using PSK's and > it works fine. IKE isn't the real trouble spot, usually.
Except that I have noticed that IKE using an ID type of IP_ADDR, PSKs, and aggressive mode is a lot more popular then an objective analysis of the protocols would warrant. I suspect the reason is that particular combination is probably the easiest to implement (although I'm just guessing). In any event, the ID type of ID_ADDR doesn't get along with NAT, either. > The real trouble is AH. Yes, AH and NAT are fundamentally incompatible. >> Just today, I was trouble-shooting an IPsec-through-NAT configuration >> that appears to be causing the FreeS/WAN node at the other end to think >> the NAT'ed node is another network, instead of a single node. > > Someone forgot to comment out the "right/leftsubnet" maybe? The other peer isn't running FreeS/WAN, it's running SafeNet's SoftRemote for Windows. The configuration checks out, and works just fine if I remove the NAT box. This is a dynamic, "road warrior" config -- FreeS/WAN gateway on one end, %any for the other end (no subnet). The error I'm seeing is that FreeS/WAN is thinking the connection is a gateway, with the public IP address of the router being the gateway address, and the private IP address of the Windows box being behind it -- which is, in a sense, correct, I guess. But since there is no subnet configured in FreeS/WAN, Pluto kicks out the IKE attempt as not matching any configured connection. I suspect I need to tweak FreeS/WAN's config slightly, or maybe add a patch. Like I said, I haven't had a chance to really look into it yet. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss