Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)

From: Crist J. Clark (cristjc_at_comcast.net)
Date: 11/15/03

  • Next message: Jim Xochellis: "Re: ip-up script of pppd no triggered" 
    Date: Sat, 15 Nov 2003 10:24:09 -0800
To: "Oldach, Helge" <Helge.Oldach@atosorigin.com>

    On Sat, Nov 15, 2003 at 07:54:40AM +0100, Oldach, Helge wrote:
    > From: Crist J. Clark [mailto:cristjc@comcast.net]
    > > On Fri, Nov 14, 2003 at 06:22:55PM +0100, Helge Oldach wrote:
    > > > Nothing that works well and has noticeable exposure is useless. This
    > > > definitely has both. Not with FreeBSD, though. It does work with Windows
    > > > 2000 SP4, to put a name up... So it's definitely out there.
    > >
    > > Two different ESP end points behind many-to-one NAT connected to a
    > > single ESP end point on the other side of the NAT? I'd be very curious
    > > to get the documentation on how they are cheating to get that to work.
    >
    > You have posted a reference already. W2k SP4 supports UDP encapsulation of
    > IPSec. And yes, it works fine, and reliably. Further, all of Cisco's and
    > Checkpoints VPN gear support IPSec-over-UDP as well. This alone is >70%
    > market share.

    Oh, yeah, I know of UDP or TCP encapsulation tricks that work. I have
    dealt with several of these implementations too. I thought that you
    were implying that there were working NAT implementations that could
    deal with ESP in these circumstances. 

    -- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
  • Next message: Jim Xochellis: "Re: ip-up script of pppd no triggered"