Date: Sat, 15 Nov 2003 07:54:40 +0100 From: "Oldach, Helge" <Helge.Oldach@atosorigin.com> To: "'cjclark@alum.mit.edu'" <cjclark@alum.mit.edu> Cc: freebsd-net@freebsd.org Subject: RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) Message-ID: <D2CFC58E0F8CB443B54BE72201E8916E94CA16@dehhx005.hbg.de.int.atosorigin.com>
next in thread | raw e-mail | index | archive | help
From: Crist J. Clark [mailto:cristjc@comcast.net] > On Fri, Nov 14, 2003 at 06:22:55PM +0100, Helge Oldach wrote: > > Nothing that works well and has noticeable exposure is useless. This > > definitely has both. Not with FreeBSD, though. It does work with Windows > > 2000 SP4, to put a name up... So it's definitely out there. > > Two different ESP end points behind many-to-one NAT connected to a > single ESP end point on the other side of the NAT? I'd be very curious > to get the documentation on how they are cheating to get that to work. You have posted a reference already. W2k SP4 supports UDP encapsulation of IPSec. And yes, it works fine, and reliably. Further, all of Cisco's and Checkpoints VPN gear support IPSec-over-UDP as well. This alone is >70% market share. Note that an MS employee has co-authored one of the IETF drafts you had mentioned. This is apparently not just coincidence... I do well understand that there is no general solution. However, FreeBSD is definitely behind what is available on the commercial market today. Call it "cheating" - but it's out there and it works. I would rather prefer to see a feature that doesn't solve a 100% case than to see nothing because we feel that a "general specification" is missing. Helge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D2CFC58E0F8CB443B54BE72201E8916E94CA16>