[Openswan Users] Aggressive mode, NAT-T, destination behind NAT
Paul Wouters
paul at xelerance.com
Wed Apr 12 23:32:22 CEST 2006
On Wed, 12 Apr 2006, Brian Candler wrote:
> On Wed, Apr 12, 2006 at 05:11:17PM +0200, Paul Wouters wrote:
> > aggressive mode is supported, though strongly discouraged for security
> > reasons.
>
> You mean for reasons of identity protection, or something else?
For MOTM attacks pretending to be the gateway, and DoS attacks.
> When using a group pre-shared key, the fact that someone could learn that
> the group is called "foo" is not always a major concern.
It is, because when used with PSK, anyone who knows the groupPSK can pretend
to be your VPN gateway, and then you happilly present your XAUTH user/password
to them.
> source NAT, rather that static dest NAT. This gives:
>
> openswan B
> | 172.17.0.151
> |
> | 172.17.0.145
> firewall ^
> (BSD) | source NAT
> | 10.71.0.14
> |
> | 10.71.0.1
> openswan A
>
> That is, packets from A to B appear to come from 172.17.0.145 after going
> through NAT.
>
> Configs as follows:
>
> [/etc/ipsec.conf on A]
> version 2.0 # conforms to second version of ipsec.conf specification
>
> config setup
> plutodebug="control natt"
> nat_traversal=yes
>
> conn test
> aggrmode=yes
> ike=3des-sha1-modp1024
> authby=secret
> pfs=no
> left=%defaultroute
> leftid=@testgroup
> leftsubnet=192.168.0.0/24
> right=172.17.0.151
> rightsubnet=192.168.1.0/24
> auto=add
Ok. Such a test setup can be added as a testcase.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list