[Openswan dev] NAT-T in the face of changing IPs

David McCullough David_Mccullough at securecomputing.com
Wed Jul 25 22:03:27 EDT 2007


Jivin Paul Wouters lays it down ...
> On Tue, 24 Jul 2007, Michael Richardson wrote:
> 
> > Note that packets to port 500 are coming from 67.97.210.3.500, while
> > packets to port 4500 are coming from 67.97.210.2.5029.

This is stock standard source NAT.  The most common NAT gateway setup.
We see this all the time in NAT-T based ipsec setup's.

> > I.e. a different UDP port.  Apparently, this is a problem for openswan.

Most certainly not a problem on our version of freeswan,  can't say I
have tested it specifically under openswan versions but can easily do
that if it helps.

> > Was this a case that I just didn't code for, or is this a gap in the
> > specification?
> 
> This has come up in the past. I believe the right thing to do is to junk
> the UDP header completely. Why are we doing any authentication on it? It's
> just a carrier pigeon.
> 
> Decapsulate the packet into an ESP packet, and then do normal processing
> on that.

I thought that was how most people used ipsec.  I am not an RFC-expert,
but I thought you had two basic modes of use.  AH encapsulated inside
ESP, and AH (potentially with ESP payload).   Only the second,  where
you AH the carrying packets header, would be affected by the NAT stuff.

Cheers,
Davidm

-- 
David McCullough,  david_mccullough at securecomputing.com,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com


More information about the Dev mailing list