Re: Iptables, nat, and IPSec

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel Lopes <lopsch@lopsch.com>
To: netfilter@lists.netfilter.org
Subject: Re: Iptables, nat, and IPSec
Date: Wed, 06 Apr 2005 19:03:12 +0200	[thread overview]
Message-ID: <42541650.1080206@lopsch.com> (raw)
In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAqrTb2LYes02Oflamihm4wwL6DwAQAAAA+1cYJf7sR0Sh2A7HkLkwFgEAAAAA@rogers.com>

dave beach schrieb:
>  > It´s an IPSec problem. I don´t want to go into detail but you probably
> should try NAT-Traversal.
>  > For the theory http://www.ipsec-howto.org/x180.html
> 
> Okay, I've read the reference. If I understand correctly, I need to use a
> NAT methodology that implements "NAT Traversal" (the reference is a little
> vague on this; in fairness, it does say "There are no RFCs at the moment").
> It might be therefore fair to say that the Linksys implementation includes
> NAT Traversal, enabling it to handle multiple IPSec passthrough connections.
> 
> Which leads me to what I suppose was the original question, now slightly
> modified: does iptables support NAT Traversal?
> 
> 
from the webpage:
"What does NAT traversal do to help? NAT-traversal again encapsulates 
the ESP packets in UDP packets. These can easily be handled by a NAT 
device since they provide ports."

So you have to activate on your clients the NAT-T "feature" and be sure 
the other side supports it too.

And to answer your question, yes every NAT device should be able to 
handle multiple IPSec NAT-Ted connections because they are wrapped 
within UDP packets and so every connection can be tracked. Essentially 
is that both sides which use IPSec are aware of NAT-T and it is 
correctly configured.

next prev parent reply	other threads:[~2005-04-06 17:03 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-04-06  1:47 Iptables, nat, and IPSec dave beach
2005-04-06  2:10 ` Daniel Lopes
2005-04-06  2:30   ` dave beach
2005-04-06 11:10     ` dave beach
2005-04-06 11:42       ` John A. Sullivan III
2005-04-06 17:03       ` Daniel Lopes [this message]
2005-04-06 22:42         ` dave beach

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42541650.1080206@lopsch.com \
    --to=lopsch@lopsch.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.