Date: Sun, 18 Aug 2013 14:17:45 +0200 From: Terje Elde <terje@elde.net> To: Adam Vande More <amvandemore@gmail.com> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>, Frank Leonhardt <freebsd-doc@fjl.co.uk> Subject: Re: VPN where local private address collide Message-ID: <791847EC-8E72-4013-9157-7AD0ACB62A7D@elde.net> In-Reply-To: <CA%2BtpaK1kG5BtKjO%2BFrSXwkgTJ_k5K7HxtL8vih7Mq%2Bb7r6KYWg@mail.gmail.com> References: <520E5EC0.5090105@fjl.co.uk> <9FB6809B-DD5D-4A04-8BD9-0271FAC03181@elde.net> <520F53A2.80707@fjl.co.uk> <B86F8EA5-67BE-4791-8CAE-6E70BB326500@elde.net> <520F8AA8.8030407@fjl.co.uk> <1FF39756-0555-4CD8-95B7-862F9644CF78@elde.net> <CA%2BtpaK1kG5BtKjO%2BFrSXwkgTJ_k5K7HxtL8vih7Mq%2Bb7r6KYWg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 18. aug. 2013, at 02.43, Adam Vande More wrote: > > What about SSL/TLS for example? How would the router swap the = header in an encrypted session? >=20 > Same as it would any sessions since only the payload is encrypted. = What Frank calls basic nat, most people call static nat(at least people = who have read enough Cisco docs) and it works just fine. Also you are = confusing headers. The point I was aiming for was that even if you were to swap the IPs in = the IP-header on the gateway, some protocols still reference the IPs = inside the TCP-payload, and while you can rewrite that on a NAT-box = using an application level gateway, you can not do that if the session = is using SSL or TLS. I was referring to headers *inside* the SSL/TLS-layers. I thought that = was obvious, but I see I might not have been clear enough. Yes, you can often still resolve it on the server, but just how messy = does one want to get stacking workaround on top of workaround, just to = avoid renumbering the network? Terje
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?791847EC-8E72-4013-9157-7AD0ACB62A7D>