From owner-freebsd-net@FreeBSD.ORG Sun Nov 16 11:12:27 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABA0916A4CE; Sun, 16 Nov 2003 11:12:27 -0800 (PST) Received: from mizar.origin-it.net (mizar.origin-it.net [194.8.96.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1358C43FE1; Sun, 16 Nov 2003 11:12:25 -0800 (PST) (envelope-from helge.oldach@atosorigin.com) Received: from matar.hbg.de.int.atosorigin.com (dehsfw3e.origin-it.net [194.8.96.68])hAGJBgUQ093146 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 16 Nov 2003 20:11:42 +0100 (CET) (envelope-from helge.oldach@atosorigin.com) Received: from galaxy.hbg.de.ao-srv.com (galaxy.hbg.de.ao-srv.com [161.89.20.4])ESMTP id hAGJBg35069203; Sun, 16 Nov 2003 20:11:42 +0100 (CET) (envelope-from helge.oldach@atosorigin.com) Received: (from hmo@localhost) by galaxy.hbg.de.ao-srv.com (8.9.3p2/8.9.3/hmo30mar03) id UAA25957; Sun, 16 Nov 2003 20:11:37 +0100 (MET) Message-Id: <200311161911.UAA25957@galaxy.hbg.de.ao-srv.com> In-Reply-To: <20031115182409.GA2001@blossom.cjclark.org> from "Crist J. Clark" at "Nov 15, 2003 7:24: 9 pm" To: cjclark@alum.mit.edu Date: Sun, 16 Nov 2003 20:11:36 +0100 (MET) From: Helge Oldach X-Address: Atos Origin GmbH, Friesenstraße 13, D-20097 Hamburg, Germany X-Phone: +49 40 7886 7464, Fax: +49 40 7886 9464, Mobile: +49 160 4782517 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2003 19:12:27 -0000 Crist J. Clark: >On Sat, Nov 15, 2003 at 07:54:40AM +0100, Oldach, Helge wrote: >> From: Crist J. Clark [mailto:cristjc@comcast.net] >> > Two different ESP end points behind many-to-one NAT connected to >> > a single ESP end point on the other side of the NAT? I'd be very >> > curious to get the documentation on how they are cheating to get >> > that to work. >> You have posted a reference already. W2k SP4 supports UDP >> encapsulation of IPSec. And yes, it works fine, and reliably. >> Further, all of Cisco's and Checkpoints VPN gear support >> IPSec-over-UDP as well. This alone is >70% market share. >Oh, yeah, I know of UDP or TCP encapsulation tricks that work. I have >dealt with several of these implementations too. I thought that you >were implying that there were working NAT implementations that could >deal with ESP in these circumstances. Apologies... I am actually jumping between loosely related topics somewhat. In fact both Cisco and Checkpoint also support many-to-one NAT for ESP and AH protocols. One can indeed have multiple internal VPN devices hidden behind a single public address, and talking to the same outside VPN gateway - without requiring that the VPN devices themselves to tricks to work around NAT (such as UDP encapsulation). As we add Cisco routers (requiring a pretty recent IOS) here, the market share is potentially even higher. To add, there are all sorts of other drafts that amend IPSec functionality (such as XAUTH and Mode Config which are also pretty widely deployed in VPN remote access scenarios) that are missing. FreeBSD lacks features deployed in the market, when acting as a VPN endpoint, as well as when acting as a NAT device in the VPN packet flow. Either is a pity, unfortunately. I am not complaining; I am just stating that we're behind. But FreeS/WAN is in no better shape. Helge