On Jul 15, 2004, at 9:10 AM, Harald Hoyer wrote:
Dave Oxley wrote:I am after some IPSEC info also. I have an FC2 (with latest updates) NAT'ed behind another machine at work. At home I have a WinXP box NAT'ed behind a RH7.3 machine. Can I use IPSEC to VPN between both my WinXP box and the FC2 box and do you know of a HOWTO that talks through this type of setup.
Cheers.
Dave.
NAT is bad for ipsec, try openvpn for that... (WinXP and Linux clients available)
I would beg to differ, at least in some cases.
IPsec comes in 2 flavors, ESP (Encapsulating Security Payload) and AH (Authentication Header). AH is only useful for checking packet integrity, and does not encrypt anything. AH's signatures are invalidated if the packet is NAT'd, since the entire packet, including the original headers is what is being authenticated. By definition, NAT is rewriting those original packet headers.
ESP on the other hand is an entirely different animal. ESP offers crypto and message assurance. However, it only operates on the payload itself, and doesn't give a rip about what happens to the headers. I regularly use IPSec to get into my home network when I'm out and about. It works fine, even when I'm being NAT'd, like when I'm on a GPRS connection.
The home firewall/vpn termination point is a PC running FC2, using ipsec-tools. Works extremely well with my iBook running OS X (using IPsecuritas to configure KAME on the iBook). I've yet to get l2tpd working properly, so the native OS X stuff is out, at least for the moment.