Date: Thu, 30 Oct 2003 15:30:18 -0800 From: "Crist J. Clark" <cristjc@comcast.net> To: Nucleo de Pesquisa e Desenvolvimento <npd@el.com.br> Cc: freebsd-net@freebsd.org Subject: Re: IPSEC in tunnel mode ( possible? ) Message-ID: <20031030233018.GC32640@blossom.cjclark.org> In-Reply-To: <1545.172.72.12.252.1067458540.squirrel@intranet.el.com.br> References: <1545.172.72.12.252.1067458540.squirrel@intranet.el.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 29, 2003 at 06:15:40PM -0200, Nucleo de Pesquisa e Desenvolvimento wrote: > Hi everyone, > > I know it is kind an off-topic question but maybe another network admin > have already faced the following: > > client--[__ipsec__]--gw--[__ip__]--internet > > I, trying to secure a wireless link, want to have my clients using > ipsec on the segment between the gateway gw and the machine itself even > when the traffic is to the internet and not only to the gateway ( what > works fine in transport mode anyway ). The clients are windows > machines. > Accordingly to Microsoft 252735 tunnel is possible when a windows is > acting as a gateway, not our scenario where machines are only > clients... Sometimes you read something and you just wanna pound someone so, so hard with a clue bat, "Windows 2000 IPSec tunneling is not supported for client remote access VPN use because the IETF IPSec RFCs do not currently provide a remote access solution in the Internet Key Exchange (IKE) protocol for client-to-gateway connections." First, IPsec is a peer-to-peer protocol. There are no clients and servers, only peers. Second, IKE is not part of IPsec. IKE is a nice standard for setting up IPsec SAs, but it is not required and is not the only way to set up SAs. Third, there are plenty of ways to do IKE authentication in a "cleint-to-server-like" fashion. A zillion other vendors have somehow managed to figure this out, M$. > Any one could point me to some url or send me keywords I should look > for please? If things won?t work with ipsec I?ll do it with MPD... but > I still should have ask it here. FWIW, I ended up using mpd for Windows machines this exact same scenario. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031030233018.GC32640>