Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Nov 2003 07:54:40 +0100
From:      "Oldach, Helge" <>
To:        "''" <>
Subject:   RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
From: Crist J. Clark []
> On Fri, Nov 14, 2003 at 06:22:55PM +0100, Helge Oldach wrote:
> > Nothing that works well and has noticeable exposure is useless. This
> > definitely has both. Not with FreeBSD, though. It does work with Windows
> > 2000 SP4, to put a name up... So it's definitely out there.
> Two different ESP end points behind many-to-one NAT connected to a
> single ESP end point on the other side of the NAT? I'd be very curious
> to get the documentation on how they are cheating to get that to work.

You have posted a reference already. W2k SP4 supports UDP encapsulation of
IPSec. And yes, it works fine, and reliably. Further, all of Cisco's and
Checkpoints VPN gear support IPSec-over-UDP as well. This alone is >70%
market share.

Note that an MS employee has co-authored one of the IETF drafts you had
mentioned. This is apparently not just coincidence...

I do well understand that there is no general solution. However, FreeBSD
is definitely behind what is available on the commercial market today. Call
it "cheating" - but it's out there and it works. I would rather prefer to
a feature that doesn't solve a 100% case than to see nothing because we feel
that a "general specification" is missing.


Want to link to this message? Use this URL: <>