Re: [opennhrp-devel] A stupid question about OpenNHRP
Brought to you by:
fabled80
From: Lee C. <lee...@gm...> - 2014-05-18 19:53:54
|
Masoom, ipsec with NAT is handled via NAT-T specification. Your question really is more fundamental to general how IPSec works as oppose to openNHRP which is the focus of this list. My suggestion would be to practice setting up basic point-to-point IPSec over NAT first and get that working. Once you have that in place adding openNHRP is relatively simple. Sent from my iPhone > On May 18, 2014, at 9:53 AM, masoom alam <mas...@gm...> wrote: > > An illustrative guide to ipsec (http://www.unixwiz.net/techtips/iguide-ipsec.html) read as: > > AH and NAT — Not Gonna Happen > Though AH provides very strong protection of a packet's contents because it covers everything that can be possibly considered immutable, this protection comes at a cost: AH is incompatible with NAT (Network Address Translation). > NAT is used to map a range of private addresses (say, 192.168.1.X) to and from a (usually) smaller set of public address, thereby reducing the demand for routable, public IP space. In this process, the IP header is actually modified on the fly by the NAT device to change the source and/or destination IP address. > > > If NAT device for example Ubuntu configured as Iptables firewall, cannot read the packet's internals how can it forward the ipsec packet to the correct source/destination? I am confused here. please guide. > > Secondly, Strongswan has support for Nat, is this a distinguishing factor or can be achieved via iptables? We r trying to evaluate what we will loose if not opt for StrongSwan. > > > > Thanks. > > from phone thus brief. > >> On May 17, 2014 1:18 PM, "Timo Teräs" <tim...@ik...> wrote: >> On Sat May 17 2014 04:25:49 AM EEST, masoom alam <mas...@gm...> wrote: >> >> > Another thing that I am looking in to is that what are the pros n cons of >> > using ipsec-tools with opennhrp than the strongswan. I am aware that >> > there was some work going on on the API level integration of both >> > projects. But why we can't use them independently on a single system >> > because strongswan is essentially a feature rich implementation of >> > ipsec. Is there some hack available without going getting hands dirty in >> > the strongswan code? Earlier NAT question was also in the context of >> > strongswan natting support. >> >> No, I did earlier some experiments with this, but the patches are not fully operational. >> >> At the time opennhrp was started several years ago, ipsec-tools was the best looking/easiest to integrate with candidate. Though, strongSwan seems to be now superior in almost all aspects; it does have few issues that I dont like. Generally though it seems to be the current best choice. Getting NHRP working with it is a long term goal for me too. >> >> Though, I would like to update to dmvpn phase 4 architecture while at it. >> >> See also: >> http://sourceforge.net/p/opennhrp/mailman/message/32271201/ >> >> So yes thats the direction, but we are not there yet. And no ETA at this time. |