Sam, That was an extremely helpful response. I had compiled the Nat-Traversal patch into my FreeS/WAN but the part I was missing was the roadwarrior side having to support nat-traversal. So the first part pretty much cleared up my main sticking point. The rest of the response is a great bonus. Very thorough. I just want to make sure I have this correct in my head. I only need to notify FreeS/WAN of the RW private address or use the rightsubnetwithin if the RW doesn't support nat-traversal and I am using IPSec passthrough. Alternatively, if both sides support nat-traversal I shouldn't have too many problems and I don't need to turn on passthrough.
Is this correct? Thanks again Sam Sgro said: > -----BEGIN PGP SIGNED MESSAGE----- > > On Tuesday 05 August 2003 15:01, Ollie Gallardo wrote: >> Hello, >> I was wondering if someone could point me to some documentation that >> clearly describes the setup for the following scenario or a very >> similar scenario. >> >> SoftRemote roadwarrior->NAT->Internet->FreeS/WAN gateway->Private >> Subnet >> >> The key for me here is that the road warrior is not linux and it's >> behind a NAT router. I would like to have a FreeS/WAN gateway that >> that will allow connections from any roadwarrior (with the proper >> credentials) behind any NAT router or firewall that is allowing IPSec >> Passthrough. I've gone through hours of searching and havn't found >> anything that clearly explains it or gives me a 1 2 3... on how to do >> it. Any help would be appreciated. > > Do you know what NAT-Traversal is? If not, here's a brief overview of > the technology involved. > > http://www.infoworld.com/article/02/02/15/020218nenat_1.html > > So long as both IPsec devices are NAT-Traversal capable, they can bypass > NAT without too much fuss. (They've also support the same drafts of > *how* to do NAT-T...) > > Mathieur Lafon has provided a NAT-Traversal patch for FreeS/WAN. This is > included in SuperFreeS/WAN. > > http://open-source.arkoon.net > http://www.freeswan.ca > > The only catch is that your roadwarrior clients have to have > NAT-Traversal capable clients. Microsoft recently made NAT-T patch > available for the native win2k/winXP IPsec clients. > > http://support.microsoft.com/?kbid=818043 > > Okay, but let's say that you can't rely on NAT-Traversal for your > roadwarriors, but you've got IPsec passthrough enabled on the various > NAT'ting routers. This is still possible. > > http://lists.freeswan.org/pipermail/users/2002-August/013710.html > http://jixen.tripod.com > > Simply speaking, the key is that the RW clients don't know their own, > public IP address; they've got a non-routeble address, and will try to > negotiate a tunnel using that private address. Basically, you've got to > define Roadwarrior connections that allow for that IP address being > "behind" the roadwarrior, eg: > > conn roadwarrior > ... > right=%any > rightsubnet=192.168.0.50/32 # Frank's IP address behind his NAT box > > > A pain, huh? You'd have to define individual connections for all your > roadwarriors' private IP addresses, which can easily change. There's a > way around this: you can use the "rightsubnetwithin" parameter provided > by x.509 patched FreeS/WAN. > > http://www.strongsec.com/freeswan/install.htm#section_4.4 > > conn roadwarrior > ... > right=%any > rightsubnetwithin=192.168.0.0/16 > > would allow your roadwarriors to connect when they have any > non-routeable IP address in the 192.168 class B. > > As an aside, NAT-Traversal allows you define "virtual_private" in config > setup; you can define all the non-routeable networks there in a single > line: > > http://lists.freeswan.org/pipermail/users/2003-March/019234.html > http://open-source.arkoon.net/freeswan/README.NAT-Traversal.0.6 > > This should allow you to define all the non-routeable network ranges > allowed conveniently. (I believe this should work with > non-NAT-Traversal capable clients as well.) > > - -- > Sam Sgro > [EMAIL PROTECTED] > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.3ia > Charset: noconv > Comment: For the matching public key, finger the Reply-To: address. > > iQCVAwUBPzALLEOSC4btEQUtAQFUNgQAkct4sQY6Orwiqg+8GGPy3o+YOBKGwzwZ > od7Blz0XkDu6oK9BZ8Zinq14/abRdgCtH3hX5VQ5QFLys6dkQMA0Mwj0GPSbfIhO > a2o9o1dcwhgjLbQDDIsOSNPM6tSs0YGK91uauKMprDYkAM4IeSZDDqFncTbOtRa6 > Q/Bsx2okChU= > =wrXQ > -----END PGP SIGNATURE----- --- Ollie Gallardo Support Services Inc 2 Professional Dr Ste 212 Gaithersburg MD 20879 _______________________________________________ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr
