On Mon, Apr 30, 2007 at 03:17:38PM -0700, UNIX admin wrote: > Hello everyone,
Hi! > As I'm about to implement a site-to-site VPN pretty soon, I'm researching > IPsec as a possible solution (I have IPsec working already, but without > NAT). One of the potential issues I spotted is NAT traversal. The > documentation on docs.sun.com states that NAT-T is supported, but only for > ESP. This isn't just a Solaris issue. NAT-Traversal CAN'T work with AH, given what parts of the IP header AH protects. NAT's a hostile entity as far as AH is concerned. (Can you blame AH? ;) > Since the packets will travel across the InterNet, I'd like to be able to > somehow use AH as well. Is this possible to do if I use ip.tun0 interfaces > on both IPF firewalls? If not, is there another way? If you're separating two sites, you need tunnels anyway. And if you're using tunnels, why do you need AH? What problem do you think AH will solve that ESP won't in this case? > Another potential issue is that I have 3 NATs happening between the two > firewalls: one on the FW1 ext interface, one on the ADSL "modem", and one > on the second firewall. Again, can this be solved by tunneling packets via > ip.tun interfaces? It's REALLY hard to have NATs between *both* sides of communicating peers. Are you saying that the NAT is ALSO the IPsec gateway? If it is, you may not have to worry about NAT in that case. You should draw some ASCII pictures for the audience -- it'll help. > If I'm "up the creek", what other alternative solutions would Sun engineers > recommend? I don't think you're up the creek yet, but I do think you should share some pictures and explain the precise nature of your two sites you wish to join together with IPsec in a VPN. Dan
