[Openswan Users] NAT Traversal and transport mode security issues
Jacco de Leeuw
jacco2 at dds.nl
Fri Apr 2 12:43:34 CEST 2004
> I have just setup a gateway with Openswan 2.1.1 with NAT-T support and
> also have enabled NAT-T Transport Mode so WinXP clients can access
> using the Microsoft VPN Client.
> Ok. I have all working but I'm quite worried about the security issues related with
> NAT-T and IPSec transport mode
> I am not sure what these issues are and if I should use this configuration.
> Anybody could explain what are these security issues?
Mathieu Lafon, the author of the FreeS/WAN NAT-T patch, said this about it:
> For the transport mode, it is insecure if you implement it without any sort of
> protection. Because, once a SA is established, a route is created to the NAT
> device and packets will go through the tunnel even if they are not for the
> VPN client.
> The main protection against this is to NAT the VPN client behind another IP
> (and create the route for that IP). But it's a lot of work to do that (with lots
> of problems to deal with) so it's not done in the NAT-T patch.
> If we want to avoid all problems, we need to allocate a private IP for each
> connection and translate all packets in KLIPS.
> We will end up with 4 ip for each connection :
> - host ip
> - nated ip
> - allocated ip by pluto
> - allocated ip by l2tp
> Wow, should work ;-)
> The only remaining problem will be with protocols that don't like translation
> (like FTP). But in the case of L2TP it will be fine.
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users