From owner-freebsd-security Thu Jan 24 12:12:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id B2FD937B428 for ; Thu, 24 Jan 2002 12:12:43 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g0OKCgK00226; Thu, 24 Jan 2002 14:12:42 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id OAA22665; Thu, 24 Jan 2002 14:12:42 -0600 (CST) Message-ID: <3C506A89.AFC3EF38@centtech.com> Date: Thu, 24 Jan 2002 14:11:53 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Nate Williams Cc: dr3node , freebsd-security@freebsd.org Subject: Re: Can't set up an IPsec tunnel. References: <200201241847.AHX10883@vmms1.verisignmail.com> <3C50588C.7200324B@centtech.com> <200201241900.AHX11812@vmms1.verisignmail.com> <3C505AFD.52FF9ADE@centtech.com> <15440.26956.433891.236940@caddis.yogotech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm not saying B can modify the data, I'm saying A can't trust C's data, since it appears to come from B, and C builds it as if it's coming from C, with no knowledge that B is NAT'ing.. Nate Williams wrote: > > > As far as I know, no, because that would be like a "man in the middle" attack (I > > think). Like this: > > > > A <--- B ---> C > > > > If A is talking to C via IPSEC, A tells C it's IP (the true IP) and C tells A > > it's IP (its true IP, behind the masquaraded host), but A sees C as B's IP > > address. How does it know that C knows that B exists? > > It doesn't matter, since B can't read/modify the traffic A or C > generated. > > It can certainly mess with the headers all it wants, but that won't help > it figure out what is going on. > > (Again, this assumes that A & C have authenticated themselves correctly, > per the IPSEC specification. :) > > Nate > > > dr3node wrote: > > > > > > On Thursday 24 January 2002 21:55, you wrote: > > > > IPSEC won't work through masquarading boxes or NAT firewalls. > > > > > > > > Eric > > > > > > is there any way way to cheat? > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > > ------------------------------------------------------------------ > > Eric Anderson anderson@centtech.com Centaur Technology > > If at first you don't succeed, sky diving is probably not for you. > > ------------------------------------------------------------------ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson anderson@centtech.com Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message