From: Fabrice M. <boi...@tm...> - 2012-01-29 19:44:15
|
Hello, I wish to use IPSEC in transport mode to encrypt traffic of one service (this one can't do that himself) between two servers. One is public (client) and the other is in private network behind a gateway which is configured to do nat and firewall packets. The idea is as soon as client application need talking with the server side, kernel will ask racoon, by using setkey policy, to make association with the computer behind the nat. The gateway/nat/firewall redirect port 500 and 4500 (udp) to the server private IP and the same for esp protocol. I specify protocol and port to encrypt with setkey utility (spd rules) and racoon daemon for generating keys and authentication role. To be sure, I have tested it with virtual machine in the same network (no gateway, nor nat) and it works well. Here are spd rules from /etc/ipsec.conf for the client application : spdadd 192.168.121.1[3308] 192.168.120.1[any] tcp -P in ipsec esp/transport/192.168.121.1-192.168.120.1/require; spdadd 192.168.120.1[any] 192.168.121.1[3308] tcp -P out ipsec esp/transport/192.168.120.1-192.168.121.1/require; And the correct one for the server side : spdadd 192.168.120.1[any] 192.168.121.1[3308] tcp -P in ipsec esp/transport/192.168.120.1-192.168.121.1/require; spdadd 192.168.121.1[3308] 192.168.120.1[any] tcp -P out ipsec esp/transport/192.168.121.1-192.168.120.1/require; My question is : Does transport mode could work with nat traversal ? If yes, how to configure racoon remote and ipsec spd rules ? Best regards, |