From owner-freebsd-isp@FreeBSD.ORG Sat Nov 15 10:23:56 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67C0216A4CE; Sat, 15 Nov 2003 10:23:56 -0800 (PST) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0B3343FD7; Sat, 15 Nov 2003 10:23:54 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (sccrmhc13) with ESMTP id <2003111518235301600kc4vue>; Sat, 15 Nov 2003 18:23:53 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hAFIOCsb002059; Sat, 15 Nov 2003 10:24:12 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hAFIO9lk002057; Sat, 15 Nov 2003 10:24:10 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Sat, 15 Nov 2003 10:24:09 -0800 From: "Crist J. Clark" To: "Oldach, Helge" Message-ID: <20031115182409.GA2001@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cjclark@alum.mit.edu List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2003 18:23:56 -0000 On Sat, Nov 15, 2003 at 07:54:40AM +0100, Oldach, Helge wrote: > From: Crist J. Clark [mailto:cristjc@comcast.net] > > On Fri, Nov 14, 2003 at 06:22:55PM +0100, Helge Oldach wrote: > > > Nothing that works well and has noticeable exposure is useless. This > > > definitely has both. Not with FreeBSD, though. It does work with Windows > > > 2000 SP4, to put a name up... So it's definitely out there. > > > > Two different ESP end points behind many-to-one NAT connected to a > > single ESP end point on the other side of the NAT? I'd be very curious > > to get the documentation on how they are cheating to get that to work. > > You have posted a reference already. W2k SP4 supports UDP encapsulation of > IPSec. And yes, it works fine, and reliably. Further, all of Cisco's and > Checkpoints VPN gear support IPSec-over-UDP as well. This alone is >70% > market share. Oh, yeah, I know of UDP or TCP encapsulation tricks that work. I have dealt with several of these implementations too. I thought that you were implying that there were working NAT implementations that could deal with ESP in these circumstances. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org