Date: Sun, 23 Jan 2005 14:36:16 +0100 From: J65nko BSD <j65nko@gmail.com> To: Erik Norgaard <norgaard@locolomo.org> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: IPSec without AH Message-ID: <19861fba050123053644f383f7@mail.gmail.com> In-Reply-To: <41F39CE7.7040209@locolomo.org> References: <41F39CE7.7040209@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 23 Jan 2005 13:47:35 +0100, Erik Norgaard <norgaard@locolomo.org> wrote: > Hi, > > Due to the problems of IPSec with NAT I was thinking if it is posible to > setup IPSec without Authenticated Headers? Does anyone know of a howto? > > My postulate is that since data is encrypted, this should provide the > same security as SSL/TLS - or better as _all_ protocols are encapsulated > - or did I miss something? > > Thanks, Erik The AH (Authenticated Header) protocol cannot be used with NAT, NAT modifies the header of packets, while AH is supposed to protect that header from being modified. Another IPSEC protocol ESP (Encrypted Security Payload), both authenticates and encrypts, and thus has no problem with NAT traversal. BTW I am not an IPSEC expert, just scratched its surface a little bit ;) =Adriaan=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19861fba050123053644f383f7>