From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 14 22:55:33 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B5F916A4CE; Fri, 14 Nov 2003 22:55:33 -0800 (PST) Received: from mizar.origin-it.net (mizar.origin-it.net [194.8.96.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id D397F43F85; Fri, 14 Nov 2003 22:55:31 -0800 (PST) (envelope-from Helge.Oldach@atosorigin.com) Received: from matar.hbg.de.int.atosorigin.com (dehsfw3e.origin-it.net [194.8.96.68])hAF6soUQ023422 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 15 Nov 2003 07:54:51 +0100 (CET) (envelope-from Helge.Oldach@atosorigin.com) Received: from dehhx004.hbg.de.int.atosorigin.com (dehhx004.hbg.de.int.atosorigin.com [161.90.164.40]) ESMTP id hAF6so35007855; Sat, 15 Nov 2003 07:54:50 +0100 (CET) (envelope-from Helge.Oldach@atosorigin.com) Received: by dehhx004.hbg.de.int.atosorigin.com with Internet Mail Service (5.5.2657.72) id ; Sat, 15 Nov 2003 07:54:50 +0100 Message-ID: From: "Oldach, Helge" To: "'cjclark@alum.mit.edu'" Date: Sat, 15 Nov 2003 07:54:40 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="iso-8859-1" cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2003 06:55:33 -0000 From: Crist J. Clark [mailto:cristjc@comcast.net] > On Fri, Nov 14, 2003 at 06:22:55PM +0100, Helge Oldach wrote: > > Nothing that works well and has noticeable exposure is useless. This > > definitely has both. Not with FreeBSD, though. It does work with Windows > > 2000 SP4, to put a name up... So it's definitely out there. > > Two different ESP end points behind many-to-one NAT connected to a > single ESP end point on the other side of the NAT? I'd be very curious > to get the documentation on how they are cheating to get that to work. You have posted a reference already. W2k SP4 supports UDP encapsulation of IPSec. And yes, it works fine, and reliably. Further, all of Cisco's and Checkpoints VPN gear support IPSec-over-UDP as well. This alone is >70% market share. Note that an MS employee has co-authored one of the IETF drafts you had mentioned. This is apparently not just coincidence... I do well understand that there is no general solution. However, FreeBSD is definitely behind what is available on the commercial market today. Call it "cheating" - but it's out there and it works. I would rather prefer to see a feature that doesn't solve a 100% case than to see nothing because we feel that a "general specification" is missing. Helge