Date: Fri, 21 Nov 2003 22:35:54 -0800 From: "Stephen J. Bevan" <stephen@dino.dnsalias.com> To: cjclark@alum.mit.edu Cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_address) Message-ID: <16319.970.22297.204715@anakin.> In-Reply-To: <20031114201246.GA62521@blossom.cjclark.org> References: <20031114163654.GB61960@blossom.cjclark.org> <200311141722.SAA19138@galaxy.hbg.de.ao-srv.com> <20031114201246.GA62521@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Crist J. Clark writes: > Two different ESP end points behind many-to-one NAT connected to a > single ESP end point on the other side of the NAT? I'd be very curious > to get the documentation on how they are cheating to get that to work. A cheat is to use the sequence number in the ESP header to matchup the SPI on the inbound packet with the SPI on the outbound packet. This only works if the NAT box doesn't have multiple ESP connections all starting at the same time (otherwise there would obviously be no way to tell which outbound SPI a packet with ESP sequence number 1 should match). A workaround for that is to have the NAT box delay the IKE negotiation for one connection if another one has not completed and resulted in traffic being sent. It all has a bit of a bad smell to it but then NAT isn't exactly sweet smelling either.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?16319.970.22297.204715>