RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)

From: Oldach, Helge (Helge.Oldach_at_atosorigin.com)
Date: 11/15/03

  • Next message: Gianmarco Giovannelli: "mpd & freeradius: MS-CHAP2 problem ? and more ... (long)" 
    To: "'cjclark@alum.mit.edu'" <cjclark@alum.mit.edu>
Date: Sat, 15 Nov 2003 07:54:40 +0100

    From: Crist J. Clark [mailto:cristjc@comcast.net]
    > On Fri, Nov 14, 2003 at 06:22:55PM +0100, Helge Oldach wrote:
    > > Nothing that works well and has noticeable exposure is useless. This
    > > definitely has both. Not with FreeBSD, though. It does work with Windows
    > > 2000 SP4, to put a name up... So it's definitely out there.
    >
    > Two different ESP end points behind many-to-one NAT connected to a
    > single ESP end point on the other side of the NAT? I'd be very curious
    > to get the documentation on how they are cheating to get that to work.

    You have posted a reference already. W2k SP4 supports UDP encapsulation of
    IPSec. And yes, it works fine, and reliably. Further, all of Cisco's and
    Checkpoints VPN gear support IPSec-over-UDP as well. This alone is >70%
    market share.

    Note that an MS employee has co-authored one of the IETF drafts you had
    mentioned. This is apparently not just coincidence...

    I do well understand that there is no general solution. However, FreeBSD
    is definitely behind what is available on the commercial market today. Call
    it "cheating" - but it's out there and it works. I would rather prefer to
    see
    a feature that doesn't solve a 100% case than to see nothing because we feel
    that a "general specification" is missing.

    Helge
    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: Gianmarco Giovannelli: "mpd & freeradius: MS-CHAP2 problem ? and more ... (long)"

    Relevant Pages