[Openswan Users] NAT Traversal and transport mode security issues
Antonio Gascon Dominguez
agascond at able.es
Mon Apr 5 01:53:39 CEST 2004
Thanks a lot for your quick answer and for you tutorial about L2tp/Ipsec and
the windows VPN client. It has helped me a lot!
I'm not sure If I have understand correctly what Mathieu's explained. What
packets are sent to the NAT device? Can you explain a little more o give an
example :D
Thanks a lot!
Antonio
-----Mensaje original-----
De: users-bounces at lists.openswan.org
[mailto:users-bounces at lists.openswan.org]En nombre de Jacco de Leeuw
Enviado el: viernes, 02 de abril de 2004 11:44
Para: users at lists.openswan.org
Asunto: Re: [Openswan Users] NAT Traversal and transport mode security
issues
Antonio wrote:
> I have just setup a gateway with Openswan 2.1.1 with NAT-T support and
> also have enabled NAT-T Transport Mode so WinXP clients can access
> using the Microsoft VPN Client.
>
> Ok. I have all working but I'm quite worried about the security issues
related with
> NAT-T and IPSec transport mode
> I am not sure what these issues are and if I should use this
configuration.
> Anybody could explain what are these security issues?
Mathieu Lafon, the author of the FreeS/WAN NAT-T patch, said this about it:
> For the transport mode, it is insecure if you implement it without any
sort of
> protection. Because, once a SA is established, a route is created to the
NAT
> device and packets will go through the tunnel even if they are not for the
> VPN client.
>
> The main protection against this is to NAT the VPN client behind another
IP
> (and create the route for that IP). But it's a lot of work to do that
(with lots
> of problems to deal with) so it's not done in the NAT-T patch.
> If we want to avoid all problems, we need to allocate a private IP for
each
> connection and translate all packets in KLIPS.
>
> We will end up with 4 ip for each connection :
> - host ip
> - nated ip
> - allocated ip by pluto
> - allocated ip by l2tp
>
> Wow, should work ;-)
>
> The only remaining problem will be with protocols that don't like
translation
> (like FTP). But in the case of L2TP it will be fine.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
_______________________________________________
Users mailing list
Users at lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
More information about the Users
mailing list