Date: Sat, 15 Nov 2003 10:24:09 -0800 From: "Crist J. Clark" <cristjc@comcast.net> To: "Oldach, Helge" <Helge.Oldach@atosorigin.com> Cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) Message-ID: <20031115182409.GA2001@blossom.cjclark.org> In-Reply-To: <D2CFC58E0F8CB443B54BE72201E8916E94CA16@dehhx005.hbg.de.int.atosorigin.com> References: <D2CFC58E0F8CB443B54BE72201E8916E94CA16@dehhx005.hbg.de.int.atosorigin.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 15, 2003 at 07:54:40AM +0100, Oldach, Helge wrote:
> From: Crist J. Clark [mailto:cristjc@comcast.net]
> > On Fri, Nov 14, 2003 at 06:22:55PM +0100, Helge Oldach wrote:
> > > Nothing that works well and has noticeable exposure is useless. This
> > > definitely has both. Not with FreeBSD, though. It does work with Windows
> > > 2000 SP4, to put a name up... So it's definitely out there.
> >
> > Two different ESP end points behind many-to-one NAT connected to a
> > single ESP end point on the other side of the NAT? I'd be very curious
> > to get the documentation on how they are cheating to get that to work.
>
> You have posted a reference already. W2k SP4 supports UDP encapsulation of
> IPSec. And yes, it works fine, and reliably. Further, all of Cisco's and
> Checkpoints VPN gear support IPSec-over-UDP as well. This alone is >70%
> market share.
Oh, yeah, I know of UDP or TCP encapsulation tricks that work. I have
dealt with several of these implementations too. I thought that you
were implying that there were working NAT implementations that could
deal with ESP in these circumstances.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031115182409.GA2001>