Contivity VPN woes

[bscott at ntisys.com]

On Wed, 20 Nov 2002, at 6:29am, pcmoore at engin.umich.edu wrote:
>> NAT and IPsec don't get along in three major ways:
> 
> better make that four ... there is one case involving pre-shared keys and
> nat'd connections that may be relevant here.

  Oh, yeah, I forgot all about Pre-Shared Keys.  (I avoid PSKs for anything 
but fixed network-to-network configurations, so I didn't even consider what 
would happen to them.)

  For those who are wondering: In IPsec automatic keying with IKE (Internet
Key Exchange), each peer has to have an identity.  With X.509 certificates,
the ID is almost always the DN (Distinguished Name) of the certificate of
that peer.  When using Pre-Shared Keys for authentication, though, the most
popular choice of ID is the peer's own IP address.  Obviously, NAT is going
to mess with that.

  I've never tried it, but I imagine PSKs would still work with NAT if you
used aggressive mode and (e.g.) an FQDN ID.  Anyone know?

> there could be some other issues involving ike-through-nat as well ...

  Oh, there are.  This is all in theory.  Everything works in theory.  In
practice, NAT tends to screw up everything.  :-)  Just today, I was
trouble-shooting an IPsec-through-NAT configuration that appears to be
causing the FreeS/WAN node at the other end to think the NAT'ed node is
another network, instead of a single node.  I haven't had a chance to figure
that one out yet.

> fyi, unless i am mistaken while there may be some implementations that
> claim 'nat-t' support i do not believe this is yet a standard, i think it
> is still in draft status.

  Yes, it is still a draft, but it enjoys good industry support, and is fast
approaching "de facto standard" status.

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do not |
| necessarily represent the views or policy of any other person, entity or  |
| organization.  All information is provided without warranty of any kind.  |