Ipsec Question
Jason Costomiris
jcostom at jasons.org
Fri Jul 16 02:45:27 UTC 2004
On Jul 15, 2004, at 9:10 AM, Harald Hoyer wrote:
> Dave Oxley wrote:
>> I am after some IPSEC info also. I have an FC2 (with latest updates)
>> NAT'ed behind another machine at work. At home I have a WinXP box
>> NAT'ed behind a RH7.3 machine. Can I use IPSEC to VPN between both my
>> WinXP box and the FC2 box and do you know of a HOWTO that talks
>> through this type of setup.
>> Cheers.
>> Dave.
>
> NAT is bad for ipsec, try openvpn for that... (WinXP and Linux clients
> available)
>
I would beg to differ, at least in some cases.
IPsec comes in 2 flavors, ESP (Encapsulating Security Payload) and AH
(Authentication Header). AH is only useful for checking packet
integrity, and does not encrypt anything. AH's signatures are
invalidated if the packet is NAT'd, since the entire packet, including
the original headers is what is being authenticated. By definition,
NAT is rewriting those original packet headers.
ESP on the other hand is an entirely different animal. ESP offers
crypto and message assurance. However, it only operates on the payload
itself, and doesn't give a rip about what happens to the headers. I
regularly use IPSec to get into my home network when I'm out and about.
It works fine, even when I'm being NAT'd, like when I'm on a GPRS
connection.
The home firewall/vpn termination point is a PC running FC2, using
ipsec-tools. Works extremely well with my iBook running OS X (using
IPsecuritas to configure KAME on the iBook). I've yet to get l2tpd
working properly, so the native OS X stuff is out, at least for the
moment.
More information about the fedora-list
mailing list