Ipsec Question

[Jason Costomiris]

On Jul 15, 2004, at 9:10 AM, Harald Hoyer wrote:

> Dave Oxley wrote:
>> I am after some IPSEC info also. I have an FC2 (with latest updates) 
>> NAT'ed behind another machine at work. At home I have a WinXP box 
>> NAT'ed behind a RH7.3 machine. Can I use IPSEC to VPN between both my 
>> WinXP box and the FC2 box and do you know of a HOWTO that talks 
>> through this type of setup.
>> Cheers.
>> Dave.
>
> NAT is bad for ipsec, try openvpn for that... (WinXP and Linux clients 
> available)
>

I would beg to differ, at least in some cases.

IPsec comes in 2 flavors, ESP (Encapsulating Security Payload) and AH 
(Authentication Header).  AH is only useful for checking packet 
integrity, and does not encrypt anything.  AH's signatures are 
invalidated if the packet is NAT'd, since the entire packet, including 
the original headers is what is being authenticated.  By definition, 
NAT is rewriting those original packet headers.

ESP on the other hand is an entirely different animal.  ESP offers 
crypto and message assurance.  However, it only operates on the payload 
itself, and doesn't give a rip about what happens to the headers.  I 
regularly use IPSec to get into my home network when I'm out and about. 
  It works fine, even when I'm being NAT'd, like when I'm on a GPRS 
connection.

The home firewall/vpn termination point is a PC running FC2, using 
ipsec-tools.  Works extremely well with my iBook running OS X (using 
IPsecuritas to configure KAME on the iBook).  I've yet to get l2tpd 
working properly, so the native OS X stuff is out, at least for the 
moment.