From: "Leonardo Rodrigues Magalhães" <leolistas@solutti.com.br>
To: netfilter@lists.netfilter.org, apapadop@alumni.carnegiemellon.edu
Subject: OFFTOPIC: Re: VPN over netfilter NAT
Date: Thu, 16 Sep 2004 09:00:56 -0300 [thread overview]
Message-ID: <006e01c49be4$d4a701a0$8b00000a@casa> (raw)
In-Reply-To: 200409161436.26695.apapadop@alumni.carnegiemellon.edu
Well ...... this is not completly true, as well it's not a complete lie.
Reading the doc you sent us the link, i could notice the author explains
how to setup a IPSec VPN, using FreeSWAN.
It's true that IPSec is NOT a NAT-Friendly protocol, just like HTTP or
SMTP. IPSec requires special cares when doing NAT. These 'special cares' are
implemented in NAT Helpers, just like ip_nat_ftp. And, IPSec NAT Helper was
never developed or, at least, never was made public available.
BUT, there's a patch called NAT-T which allows IPSec to work fine on NAT
situations.
You should also notice that FreeSWAN is not being developed anymore. Two
projects continued developing the FreeSWAN source, which are:
http://www.openswan.org/
http://www.strongswan.org/
Seems that both projects applied the NAT-T patch into their distribution
codes. So, you WILL be able to run IPSec VPN over NAT **IF** both peers are
NAT-T capable and correctly configured for that.
And you can always try another VPN daemons. In several situations I
prefeer using OpenVPN (http://openvpn.sourceforge.net), which is extremely
simpler to configure and it NAT friendly with no extra configurations. If
you're trying to establish VPN between 2 Linuxs, OpenVPN may be a great
option. But if you're trying Linux-Cisco or Linux-something else, maybe
IPSec will be your only option.
Hope it helps .....
Sincerily,
Leonardo Rodrigues
----- Original Message -----
From: "Alexandros Papadopoulos" <apapadop@alumni.carnegiemellon.edu>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, September 16, 2004 8:36 AM
Subject: VPN over netfilter NAT
> I stumbled across
> http://www.linuxhomenetworking.com/linux-adv/vpn-linux.htm today, which
> states that "NAT breaks VPNs".
>
> Is this just an over-simplifying statement that really means "if you're
> reading this, then don't even try setting up a NAT-traversing VPN"?
>
> This is exactly what I'm planning to do; I've got my mind set on having
> the two VPN endpoints inside two NATed networks, both managed by
> respective dedicated linux boxes running only netfilter.
>
> If that is indeed possible (and doable for a first timer), could anyone
> provide some relevant pointers to documentation?
next prev parent reply other threads:[~2004-09-16 12:00 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-16 11:36 VPN over netfilter NAT Alexandros Papadopoulos
2004-09-16 11:47 ` Brent Clark
2004-09-16 11:49 ` John A. Sullivan III
2004-09-16 12:00 ` Leonardo Rodrigues Magalhães [this message]
2004-09-16 12:30 ` Jason Opperisano
2004-09-16 14:36 ` Aleksandar Milivojevic
2004-09-16 17:11 ` Les Mikesell
2004-09-17 1:36 ` Kenneth Porter
2004-11-12 13:09 ` Peter Marshall
2004-11-12 13:54 ` Michel van der Klei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='006e01c49be4$d4a701a0$8b00000a@casa' \
--to=leolistas@solutti.com.br \
--cc=apapadop@alumni.carnegiemellon.edu \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox