Contivity VPN woes

[bscott at ntisys.com]

On 21 Nov 2002, at 8:30am, ken.lussier at zuken.com wrote:
> However, I have to say that I have done IPSec through NAT using PSK's and
> it works fine.  IKE isn't the real trouble spot, usually.

  Except that I have noticed that IKE using an ID type of IP_ADDR, PSKs, and
aggressive mode is a lot more popular then an objective analysis of the
protocols would warrant.  I suspect the reason is that particular
combination is probably the easiest to implement (although I'm just
guessing).  In any event, the ID type of ID_ADDR doesn't get along with NAT,
either.

> The real trouble is AH.

  Yes, AH and NAT are fundamentally incompatible.

>>  Just today, I was trouble-shooting an IPsec-through-NAT configuration
>> that appears to be causing the FreeS/WAN node at the other end to think
>> the NAT'ed node is another network, instead of a single node.
> 
> Someone forgot to comment out the "right/leftsubnet" maybe?

  The other peer isn't running FreeS/WAN, it's running SafeNet's SoftRemote
for Windows.  The configuration checks out, and works just fine if I remove
the NAT box.  This is a dynamic, "road warrior" config -- FreeS/WAN gateway
on one end, %any for the other end (no subnet).  The error I'm seeing is
that FreeS/WAN is thinking the connection is a gateway, with the public IP
address of the router being the gateway address, and the private IP address
of the Windows box being behind it -- which is, in a sense, correct, I
guess.  But since there is no subnet configured in FreeS/WAN, Pluto kicks
out the IKE attempt as not matching any configured connection.  I suspect I
need to tweak FreeS/WAN's config slightly, or maybe add a patch.  Like I
said, I haven't had a chance to really look into it yet.

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do not |
| necessarily represent the views or policy of any other person, entity or  |
| organization.  All information is provided without warranty of any kind.  |