Date: Thu, 07 Feb 2002 17:18:23 -0500 From: "James F. Hranicky" <jfh@cise.ufl.edu> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: security@FreeBSD.ORG Subject: Re: Questions (Rants?) About IPSEC Message-ID: <20020207221823.BEA206B27@mail.cise.ufl.edu> In-Reply-To: Message from Garrett Wollman <wollman@khavrinen.lcs.mit.edu> of "Thu, 07 Feb 2002 16:42:13 EST." <200202072142.g17LgDL69359@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Garrett Wollman <wollman@khavrinen.lcs.mit.edu> wrote: > > > - IPSEC routers have to basically be the border router for > > a site, as there is no post-decryption NAT protocol to > > get packets back to a router on the inside of the network > > (Apparently, Cisco VPN boxes have this capability, but > > it's an add-on to IPSEC AFAICT). > > IPSEC is designed to thwart processes which corrupt packet headers > (including NAT). In my scenario, NAT would occur after decryption, allowing IPSEC routers to be placed at arbitrary points in the internal net. As I understand it, CISCO's VPN box does just that. Thanks for your input. Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020207221823.BEA206B27>