From owner-freebsd-questions@FreeBSD.ORG  Sun Jan 23 13:36:17 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A87A516A4D1
	for <freebsd-questions@freebsd.org>;
	Sun, 23 Jan 2005 13:36:17 +0000 (GMT)
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2961A43D55
	for <freebsd-questions@freebsd.org>;
	Sun, 23 Jan 2005 13:36:17 +0000 (GMT)
	(envelope-from j65nko@gmail.com)
Received: by wproxy.gmail.com with SMTP id 71so252394wra
	for <freebsd-questions@freebsd.org>;
	Sun, 23 Jan 2005 05:36:16 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references;
	b=ZTLDjD+83QRVUji6ivchqx8dVwqiC2rmxkBCV/VKcanBxozsUouMpqFryCtDHDeFHkjMFf5cejggtzJFKt36iaZoeGgfFMBwrMaJhCF8HAFlCQkUfUwuiC1Au6HhkNKw61hE9jOC7phObExndCsaPRy6UzFO9aExZTyKggGFYnk=
Received: by 10.54.30.36 with SMTP id d36mr124502wrd;
        Sun, 23 Jan 2005 05:36:16 -0800 (PST)
Received: by 10.54.37.40 with HTTP; Sun, 23 Jan 2005 05:36:16 -0800 (PST)
Message-ID: <19861fba050123053644f383f7@mail.gmail.com>
Date: Sun, 23 Jan 2005 14:36:16 +0100
From: J65nko BSD <j65nko@gmail.com>
To: Erik Norgaard <norgaard@locolomo.org>
In-Reply-To: <41F39CE7.7040209@locolomo.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
References: <41F39CE7.7040209@locolomo.org>
cc: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: IPSec without AH
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: J65nko BSD <j65nko@gmail.com>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Jan 2005 13:36:17 -0000

On Sun, 23 Jan 2005 13:47:35 +0100, Erik Norgaard <norgaard@locolomo.org> wrote:
> Hi,
> 
> Due to the problems of IPSec with NAT I was thinking if it is posible to
> setup IPSec without Authenticated Headers? Does anyone know of a howto?
> 
> My postulate is that since data is encrypted, this should provide the
> same security as SSL/TLS - or better as _all_ protocols are encapsulated
> - or did I miss something?
> 
> Thanks, Erik

The AH (Authenticated Header) protocol cannot be used with NAT, NAT
modifies the header of packets, while AH is supposed to protect that
header from being modified. Another IPSEC protocol ESP (Encrypted
Security Payload), both authenticates and encrypts, and thus has no
problem with NAT traversal.

BTW I am not an IPSEC expert, just scratched its surface a little bit ;)

=Adriaan=