On Sun, 23 Jan 2005 14:54:46 +0100, Erik Norgaard <[EMAIL PROTECTED]> wrote: > J65nko BSD wrote: > >>Due to the problems of IPSec with NAT I was thinking if it is posible to > >>setup IPSec without Authenticated Headers? Does anyone know of a howto? > > > The AH (Authenticated Header) protocol cannot be used with NAT, NAT > > modifies the header of packets, while AH is supposed to protect that > > header from being modified. Another IPSEC protocol ESP (Encrypted > > Security Payload), both authenticates and encrypts, and thus has no > > problem with NAT traversal. > > Thanks, AFAIK, ESP and AH are used in conjunction in IPSec, ESP for > encrypting the packet payload, and AH for authentication. ESP in it self > does not provide authentication, but only encrypts the payload - hence > the names :-) > > Since ESP only encrypts the payload, as you say, ESP has no problem with > NAT, whereas AH appends a signed checksum of the header. And since NAT > alters the header, verifying the AH fails. > > Ofcourse, it requires access to the (public?) keys to create valid > encrypted packets. Hence, if the public key is kept as a shared secret > among the authorized users, one could assume that ESP packets are > authenticated/trusted. > > This is my idea, discard AH, rely on ESP and assume that anyone capable > of producing decryptable packets must have access to the pre-shared > secret "public" key and hence authorized.
Your are not the first to have this idea. The authors of "Secure Architectures with OpenBSD" already published this ;) > AH would work, if both ends were NATaware, such that the rigth src/dst > ip could be inserted in the header before checking. It just occured to > me that maybe this could be done by adding yet another IP/IP tunnel? > > Cheers, Erik OpenBSD 3.6 supports NAT traversal. From http://openbsd.org/36.html: "isakmpd(8) now supports NAT-traversal and Dead Peer Detection (RFC 3706)." Don't know how ling it would take to before this is supported by FreeBSD ;) =Adriaan= _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
