Re: IPSec VPN & NATD (problem with alias_address vs redirect_address)
From: Stephen J. Bevan (stephen_at_dino.dnsalias.com)
Date: 11/22/03
- Previous message: Bill Vermillion: "Re: huge email system"
- In reply to: Crist J. Clark: "Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 21 Nov 2003 22:35:54 -0800 To: cjclark@alum.mit.edu
Crist J. Clark writes:
> Two different ESP end points behind many-to-one NAT connected to a
> single ESP end point on the other side of the NAT? I'd be very curious
> to get the documentation on how they are cheating to get that to work.
A cheat is to use the sequence number in the ESP header to matchup the
SPI on the inbound packet with the SPI on the outbound packet. This
only works if the NAT box doesn't have multiple ESP connections all
starting at the same time (otherwise there would obviously be no way
to tell which outbound SPI a packet with ESP sequence number 1 should
match). A workaround for that is to have the NAT box delay the IKE
negotiation for one connection if another one has not completed and
resulted in traffic being sent. It all has a bit of a bad smell to it
but then NAT isn't exactly sweet smelling either.
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Bill Vermillion: "Re: huge email system"
- In reply to: Crist J. Clark: "Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
