OFFTOPIC: Re: VPN over netfilter NAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

    Well ...... this is not completly true, as well it's not a complete lie.

    Reading the doc you sent us the link, i could notice the author explains
how to setup a IPSec VPN, using FreeSWAN.

    It's true that IPSec is NOT a NAT-Friendly protocol, just like HTTP or
SMTP. IPSec requires special cares when doing NAT. These 'special cares' are
implemented in NAT Helpers, just like ip_nat_ftp. And, IPSec NAT Helper was
never developed or, at least, never was made public available.

    BUT, there's a patch called NAT-T which allows IPSec to work fine on NAT
situations.

    You should also notice that FreeSWAN is not being developed anymore. Two
projects continued developing the FreeSWAN source, which are:

http://www.openswan.org/
http://www.strongswan.org/

    Seems that both projects applied the NAT-T patch into their distribution
codes. So, you WILL be able to run IPSec VPN over NAT **IF** both peers are
NAT-T capable and correctly configured for that.

    And you can always try another VPN daemons. In several situations I
prefeer using OpenVPN (http://openvpn.sourceforge.net), which is extremely
simpler to configure and it NAT friendly with no extra configurations. If
you're trying to establish VPN between 2 Linuxs, OpenVPN may be a great
option. But if you're trying Linux-Cisco or Linux-something else, maybe
IPSec will be your only option.

    Hope it helps .....

    Sincerily,
    Leonardo Rodrigues


----- Original Message ----- 
From: "Alexandros Papadopoulos" <apapadop@xxxxxxxxxxxxxxxxxxxxxxxxx>
To: <netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Thursday, September 16, 2004 8:36 AM
Subject: VPN over netfilter NAT


> I stumbled across
> http://www.linuxhomenetworking.com/linux-adv/vpn-linux.htm today, which
> states that "NAT breaks VPNs".
>
> Is this just an over-simplifying statement that really means "if you're
> reading this, then don't even try setting up a NAT-traversing VPN"?
>
> This is exactly what I'm planning to do; I've got my mind set on having
> the two VPN endpoints inside two NATed networks, both managed by
> respective dedicated linux boxes running only netfilter.
>
> If that is indeed possible (and doable for a first timer), could anyone
> provide some relevant pointers to documentation?
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux