From owner-freebsd-security Mon Feb 11 18:24: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id EE33F37B47B for ; Mon, 11 Feb 2002 18:16:55 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id C28FC230E4; Mon, 11 Feb 2002 21:16:43 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id B91D79EFB0; Mon, 11 Feb 2002 21:11:48 -0500 (EST) To: Garrett Wollman Cc: security@FreeBSD.ORG Subject: Re: Questions (Rants?) About IPSEC Date: Thu, 07 Feb 2002 17:18:23 -0500 From: "James F. Hranicky" Message-Id: <20020212021148.B91D79EFB0@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Garrett Wollman wrote: > > > - IPSEC routers have to basically be the border router for > > a site, as there is no post-decryption NAT protocol to > > get packets back to a router on the inside of the network > > (Apparently, Cisco VPN boxes have this capability, but > > it's an add-on to IPSEC AFAICT). > > IPSEC is designed to thwart processes which corrupt packet headers > (including NAT). In my scenario, NAT would occur after decryption, allowing IPSEC routers to be placed at arbitrary points in the internal net. As I understand it, CISCO's VPN box does just that. Thanks for your input. Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message