From owner-freebsd-security Thu Feb 7 14:18:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.cise.ufl.edu (beach.cise.ufl.edu [128.227.205.211]) by hub.freebsd.org (Postfix) with ESMTP id DF90237B404 for ; Thu, 7 Feb 2002 14:18:24 -0800 (PST) Received: from cise.ufl.edu (shine.cise.ufl.edu [128.227.205.227]) by mail.cise.ufl.edu (Postfix) with ESMTP id BEA206B27; Thu, 7 Feb 2002 17:18:23 -0500 (EST) To: Garrett Wollman Cc: security@FreeBSD.ORG Subject: Re: Questions (Rants?) About IPSEC In-Reply-To: Message from Garrett Wollman of "Thu, 07 Feb 2002 16:42:13 EST." <200202072142.g17LgDL69359@khavrinen.lcs.mit.edu> Date: Thu, 07 Feb 2002 17:18:23 -0500 From: "James F. Hranicky" Message-Id: <20020207221823.BEA206B27@mail.cise.ufl.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Garrett Wollman wrote: > > > - IPSEC routers have to basically be the border router for > > a site, as there is no post-decryption NAT protocol to > > get packets back to a router on the inside of the network > > (Apparently, Cisco VPN boxes have this capability, but > > it's an add-on to IPSEC AFAICT). > > IPSEC is designed to thwart processes which corrupt packet headers > (including NAT). In my scenario, NAT would occur after decryption, allowing IPSEC routers to be placed at arbitrary points in the internal net. As I understand it, CISCO's VPN box does just that. Thanks for your input. Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message