From owner-freebsd-net@FreeBSD.ORG Sun Dec 14 10:14:49 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A35231065673 for ; Sun, 14 Dec 2008 10:14:49 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 613BF8FC1F for ; Sun, 14 Dec 2008 10:14:49 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from albator.zen.inc (albator.zen.inc [192.168.1.5]) by smtp.zeninc.net (smtpd) with ESMTP id 0E77D2798B8; Sun, 14 Dec 2008 11:14:46 +0100 (CET) Received: by albator.zen.inc (Postfix, from userid 1000) id D51867343A; Sun, 14 Dec 2008 11:14:45 +0100 (CET) Date: Sun, 14 Dec 2008 11:14:45 +0100 From: VANHULLEBUS Yvan To: Stephen Clark Message-ID: <20081214101445.GA2617@zeninc.net> References: <20081211122828.CF3958FC16@mx1.freebsd.org> <20081211123958.GA5332@zeninc.net> <200812121845.20262.artem@aws-net.org.ua> <20081212175500.GA2573@zeninc.net> <4942B264.5020607@earthlink.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4942B264.5020607@earthlink.net> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org Subject: Re: NAT-T + ipsec integration X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2008 10:14:49 -0000 On Fri, Dec 12, 2008 at 01:50:12PM -0500, Stephen Clark wrote: [...] > Are there any restrictions for nat-t on freebsd-6, like number of vpns that > can be natted? NAT-T generates quite no more restrictions than non NAT-T tunnels. Number of VPN tunnels may be a little bit lower with NAT-T than without: we do know that PFKey's buffer is the actual limitation when increasing number of SPD/SAD entries, and entries with NAT-T will generate (a few) more data per entry. I don't have exact numbers to provide to you, but expect number of running NAT-T tunnels to be a bit lower than without NAT-T. This is the only limit AFAIK. Yvan.