Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Nov 2003 07:54:40 +0100
From:      "Oldach, Helge" <Helge.Oldach@atosorigin.com>
To:        "'cjclark@alum.mit.edu'" <cjclark@alum.mit.edu>
Cc:        freebsd-net@freebsd.org
Subject:   RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)
Message-ID:  <D2CFC58E0F8CB443B54BE72201E8916E94CA16@dehhx005.hbg.de.int.atosorigin.com>

Next in thread | Raw E-Mail | Index | Archive | Help
From: Crist J. Clark [mailto:cristjc@comcast.net]
> On Fri, Nov 14, 2003 at 06:22:55PM +0100, Helge Oldach wrote:
> > Nothing that works well and has noticeable exposure is useless. This
> > definitely has both. Not with FreeBSD, though. It does work with Windows
> > 2000 SP4, to put a name up... So it's definitely out there.
> 
> Two different ESP end points behind many-to-one NAT connected to a
> single ESP end point on the other side of the NAT? I'd be very curious
> to get the documentation on how they are cheating to get that to work.

You have posted a reference already. W2k SP4 supports UDP encapsulation of
IPSec. And yes, it works fine, and reliably. Further, all of Cisco's and
Checkpoints VPN gear support IPSec-over-UDP as well. This alone is >70%
market share.

Note that an MS employee has co-authored one of the IETF drafts you had
mentioned. This is apparently not just coincidence...

I do well understand that there is no general solution. However, FreeBSD
is definitely behind what is available on the commercial market today. Call
it "cheating" - but it's out there and it works. I would rather prefer to
see
a feature that doesn't solve a 100% case than to see nothing because we feel
that a "general specification" is missing.

Helge



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?D2CFC58E0F8CB443B54BE72201E8916E94CA16>