[Openswan Users] NAT Traversal and transport mode security issues

Antonio Gascon Dominguez agascond at able.es
Mon Apr 5 01:53:39 CEST 2004

Thanks a lot for your quick answer and for you tutorial about L2tp/Ipsec and
the windows VPN client. It has helped me a lot!

I'm not sure If I have understand correctly what Mathieu's explained.  What
packets are sent to the NAT device?  Can you explain a little more o give an
example :D

Thanks a lot!


-----Mensaje original-----
De: users-bounces at lists.openswan.org
[mailto:users-bounces at lists.openswan.org]En nombre de Jacco de Leeuw
Enviado el: viernes, 02 de abril de 2004 11:44
Para: users at lists.openswan.org
Asunto: Re: [Openswan Users] NAT Traversal and transport mode security

Antonio wrote:

> I have just setup a gateway with Openswan 2.1.1 with NAT-T support and
 > also have enabled NAT-T Transport Mode so WinXP clients can access
 > using the Microsoft VPN Client.
> Ok. I have all working but I'm quite worried about the security issues
related with
 > NAT-T and IPSec transport mode
> I am not sure what these issues are and if I should use this
 > Anybody could explain what are these security issues?

Mathieu Lafon, the author of the FreeS/WAN NAT-T patch, said this about it:

> For the transport mode, it is insecure if you implement it without any
sort of
> protection. Because, once a SA is established, a route is created to the
> device and packets will go through the tunnel even if they are not for the
> VPN client.
> The main protection against this is to NAT the VPN client behind another
> (and create the route for that IP). But it's a lot of work to do that
(with lots
> of problems to deal with) so it's not done in the NAT-T patch.

> If we want to avoid all problems, we need to allocate a private IP for
> connection and translate all packets in KLIPS.
> We will end up with 4 ip for each connection :
>   - host ip
>   - nated ip
>   - allocated ip by pluto
>   - allocated ip by l2tp
> Wow, should work ;-)
> The only remaining problem will be with protocols that don't like
> (like FTP). But in the case of L2TP it will be fine.

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

Users mailing list
Users at lists.openswan.org

More information about the Users mailing list