Date: Thu, 07 Feb 2002 17:18:23 -0500 From: "James F. Hranicky" <jfh@cise.ufl.edu> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: security@FreeBSD.ORG Subject: Re: Questions (Rants?) About IPSEC Message-ID: <20020212021148.B91D79EFB0@okeeffe.bestweb.net>
next in thread | raw e-mail | index | archive | help
Garrett Wollman <wollman@khavrinen.lcs.mit.edu> wrote: > > > - IPSEC routers have to basically be the border router for > > a site, as there is no post-decryption NAT protocol to > > get packets back to a router on the inside of the network > > (Apparently, Cisco VPN boxes have this capability, but > > it's an add-on to IPSEC AFAICT). > > IPSEC is designed to thwart processes which corrupt packet headers > (including NAT). In my scenario, NAT would occur after decryption, allowing IPSEC routers to be placed at arbitrary points in the internal net. As I understand it, CISCO's VPN box does just that. Thanks for your input. Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020212021148.B91D79EFB0>