[Openswan Users] NAT Traversal and transport mode security issues

[Jacco de Leeuw]

Antonio wrote:

> I have just setup a gateway with Openswan 2.1.1 with NAT-T support and
 > also have enabled NAT-T Transport Mode so WinXP clients can access
 > using the Microsoft VPN Client.
> 
> Ok. I have all working but I'm quite worried about the security issues related with
 > NAT-T and IPSec transport mode
> I am not sure what these issues are and if I should use this configuration.
 > Anybody could explain what are these security issues?

Mathieu Lafon, the author of the FreeS/WAN NAT-T patch, said this about it:

> For the transport mode, it is insecure if you implement it without any sort of
> protection. Because, once a SA is established, a route is created to the NAT
> device and packets will go through the tunnel even if they are not for the
> VPN client.
> 
> The main protection against this is to NAT the VPN client behind another IP
> (and create the route for that IP). But it's a lot of work to do that (with lots
> of problems to deal with) so it's not done in the NAT-T patch.

> If we want to avoid all problems, we need to allocate a private IP for each
> connection and translate all packets in KLIPS.
> 
> We will end up with 4 ip for each connection :
>   - host ip
>   - nated ip
>   - allocated ip by pluto
>   - allocated ip by l2tp
> 
> Wow, should work ;-)
> 
> The only remaining problem will be with protocols that don't like translation
> (like FTP). But in the case of L2TP it will be fine.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl