FreeBSD + NAT Traversal / NAT-T?

[Goosemaster]

I am using m0n0wall and was interested in IPsec use, but unfortuantely I use NAT at both endpoints.

Since freeBSD is the base, I was wondering there was anyway to use NAT Traversal with it.

Thanks

 

[ssbpgsr]

So let me try to understand you. Are you saying that you use m0n0 as a router, going to use m0n0 to make the vpn connection, and your clients (behind m0n0) are NATed. Or are you saying that both m0n0 boxes are already on a private address range?

 

[Goosemaster]

Originally posted by: ssbpgsr
So let me try to understand you. Are you saying that you use m0n0 as a router, going to use m0n0 to make the vpn connection, and your clients (behind m0n0) are NATed. O

yes.

two networks.
both networks have dynamically assigned public IPs.
both networks are nat'ted.
vpn over the internet.
dlink looks liek it supports NAT-T
m0n0wall looks like it does not.
I want to conenct them router to router, and not have a client on eavh network have to take care of it.

I am going to be using a m0n0wall at one end and a dlink at the other end. Both devices have the ability to setup an IPsec route.

my goal is to connect the two endpoints and have all necessary traffic (basically windows networking or streaming of content) traverse the VPN.

currently I have a PPTP VPN, initiated by the M0n0wall and connected to client behind the dlink usign the windows built-in client.


is IPsec a possibility?


this is a diagram of my setup (albeit a messy one)

 

[ssbpgsr]

Actually it will work just fine. You don't even need to worry about NAT-T. NAT-T is used when a mobile IPSEC client from behind a NAT'd router is trying to make a VPN connection to an external location.

EDIT: I see you have listed private addresses on your network diagram. Are the WAN interfaces of both routers on a private or public address?

 

[Goosemaster]

Originally posted by: ssbpgsr
Actually it will work just fine. You don't even need to worry about NAT-T. NAT-T is used when a mobile IPSEC client from behind a NAT'd router is trying to make a VPN connection to an external location.

EDIT: I see you have listed private addresses on your network diagram. Are the WAN interfaces of both routers on a private or public address?

1. the routers are in different geographical locations

2. the WAN ports on both routers are connected directly to the itnernet and have 1 dynamicall assigned IP address each.

3. both are using dyndns.org for hostnames, which is what I have been using to get incontact with them

As for NAT-T, would having the devices act like endpoints mean that the packets would get decrypted before the packets were NAT'd?

Was I looking at this all wrong? could you say that my dillemma only applies to IPsec connectiosn created by servers or whatever behind the router inside the NAT?


I jsut want to make sure I am not gettign thigns confused

Thanks

 

[ssbpgsr]

Originally posted by: Goosemaster
As for NAT-T, would having the devices act like endpoints mean that the packets would get decrypted before the packets were NAT'd?

Yes

Originally posted by: Goosemaster
Was I looking at this all wrong? could you say that my dillemma only applies to IPsec connectiosn created by servers or whatever behind the router inside the NAT?

Yes


Now, the only issue I can think of that you'll have is from having dynamically assigned IPs. I cannot remember if m0n0wall can do a IPSEC tunnel with dynamic IPs.

 

[Goosemaster]

Originally posted by: ssbpgsr

Originally posted by: Goosemaster
As for NAT-T, would having the devices act like endpoints mean that the packets would get decrypted before the packets were NAT'd?

Yes

Originally posted by: Goosemaster
Was I looking at this all wrong? could you say that my dillemma only applies to IPsec connectiosn created by servers or whatever behind the router inside the NAT?

Yes


Now, the only issue I can think of that you'll have is from having dynamically assigned IPs. I cannot remember if m0n0wall can do a IPSEC tunnel with dynamic IPs.

either way, I am "Elated" at the prospect of being able to pull this off

THANKS A LOT

 

[Goosemaster]

I jsut looked it up and IPsec + DHCP on the WAN link is a no go

And PPTP will basically limit me to one client

 

[spidey07]

IPsec nat traversal is strictly a funtion of the end-poinds of IPsec. If there is NAT between those endpoints it won't work.

Unless of course you configure both IPsec endpoints to do nat traversal, and then you're fine.