(racoon 853) Re: Racoon NAT-T Transport Mode

[Matt Titus <titus@nttmcl.com>]

Emmanuel Dreyfus wrote:

> > IPsec-tools racoon doesn't support NAT-OA payload that is required for
> > transport mode byt the standard. It is quite some time since I wrote the
> > NAT-T support so I'm not sure how much work would it be to add it...
> >    
>
> Not that much, IMO. Implementing OA will also make possible to use
> multiple machines from behind a NAT.
>
>  
On this topic, I had to solve the problem of multiple machines behind a 
NAT, but using tunnel mode. I'm not sure if it's the best approach, 
though. I got the private address of the remote host from the ID 
payloads exchanged in Quick Mode, and sent it to the kernel in modified 
PF_KEY SADB_ADD and SADB_UPDATE messages. I used the private address to 
look up the correct SA (and the correct port number on the NAT gateway).

This works with racoon and Windows 2K/XP, because these always send 
their IP address in the Quick Mode ID payload. However, RFC 2409 doesn't 
place any restrictions on what kind of ID is sent in the ID payload - if 
it were something like an FQDN, my solution wouldn't be guaranteed to 
work. Does anyone know if IP addresses are always send in Quick Mode ID 
payloads?

Thanks,

Matt Titus
titus@nttmcl.com