Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Nov 2003 10:24:09 -0800
From:      "Crist J. Clark" <cristjc@comcast.net>
To:        "Oldach, Helge" <Helge.Oldach@atosorigin.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)
Message-ID:  <20031115182409.GA2001@blossom.cjclark.org>
In-Reply-To: <D2CFC58E0F8CB443B54BE72201E8916E94CA16@dehhx005.hbg.de.int.atosorigin.com>
References:  <D2CFC58E0F8CB443B54BE72201E8916E94CA16@dehhx005.hbg.de.int.atosorigin.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sat, Nov 15, 2003 at 07:54:40AM +0100, Oldach, Helge wrote:
> From: Crist J. Clark [mailto:cristjc@comcast.net]
> > On Fri, Nov 14, 2003 at 06:22:55PM +0100, Helge Oldach wrote:
> > > Nothing that works well and has noticeable exposure is useless. This
> > > definitely has both. Not with FreeBSD, though. It does work with Windows
> > > 2000 SP4, to put a name up... So it's definitely out there.
> > 
> > Two different ESP end points behind many-to-one NAT connected to a
> > single ESP end point on the other side of the NAT? I'd be very curious
> > to get the documentation on how they are cheating to get that to work.
> 
> You have posted a reference already. W2k SP4 supports UDP encapsulation of
> IPSec. And yes, it works fine, and reliably. Further, all of Cisco's and
> Checkpoints VPN gear support IPSec-over-UDP as well. This alone is >70%
> market share.

Oh, yeah, I know of UDP or TCP encapsulation tricks that work. I have
dealt with several of these implementations too. I thought that you
were implying that there were working NAT implementations that could
deal with ESP in these circumstances.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20031115182409.GA2001>