quietly....

Lamar Owen lowen at pari.edu
Thu Feb 3 20:20:25 UTC 2011


On Thursday, February 03, 2011 02:28:32 pm Valdis.Kletnieks at vt.edu wrote:
> The only reason FTP works through a NAT is because the NAT has already
> been hacked up to further mangle the data stream to make up for the
> mangling it does.

FTP is a in essence a peer-to-peer protocol, as both ends initiate TCP streams.  I know that's nitpicking, but it is true.

> I'm told that IPSEC through a NAT can be interesting too...  And that's
> something I'm also told some corporations are interested in.

IPsec NAT Traversal over UDP port 4500 works ok, but it does require port-forwarding (either manual, automatic-in-the-router, or uPNP) to work ok.  There are a number of HOWTO's out there to make it work, and we've been doing it between the native Windows L2TP VPN client (PPTP is insecure; L2TP as implemented by Microsoft is a three layer melange of PPP on top, with L2TP carrying that, encapsulated in IPsec between two endpoints) and SmoothWall's SmoothTunnel for several years.  It does work, and it's not as hard as it could be.

But it's not as easy as it should be, at least on the network plumbing side of things. 

However, that's not typically the hardest part of setting up a Microsoft-style PPPoL2TPoIPsec VPN, though, especially if you use certificates instead of preshared keys.  




More information about the NANOG mailing list