[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: vpn

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: vpn
From: Richard Welty <rwelty_(_at_)_averillpark_(_dot_)_net>
Date: Wed, 13 Feb 2002 10:34:26 -0500 (EST)

On Wed, 13 Feb 2002 16:24:50 +0100 (MET) Hakan Olsson <ho_(_at_)_crt_(_dot_)_se> wrote:

> On Wed, 13 Feb 2002, Tariq Rashid wrote:
> 
> >  this is interesting - theoretically i can't see why ESP ipsec
> wouldn't work
> > through nat, i agree.
> >
> >  but the couple of times I've tried it hasn't worked.
> >
> >  Can anyone shed any light on this?
> 
> One quick explanation is this; IPsec is an IP protocol, thus we don't
> have
> a transport level header, meaning no port numbers.
> 
> Now, the usual NAT hides many IPs behind one IP. How is this done?
> Indeed, by differentiating the session using port numbers.

yes, i think this is essentially correct

1) you cannot NAT AH 

2) you can NAT ESP if it is address<->address NAT

3) to NAT ESP with Port NAT, you need UDP encapsulation to tack a port
number onto the packet.

4) IKE can be gotten to work, if you are careful about IP addresses

5) i've not looked at whether AH could be gotten to work UDP encapsulation;
AH is basically useless, so i'm not motivated to investigate.

richard
--
Richard Welty                                         rwelty_(_at_)_averillpark_(_dot_)_net
Averill Park Networking                                         518-573-7592
              Unix, Linux, IP Network Engineering, Security

Prev by Date: Re: vpn
Next by Date: Re: vpn
Previous by thread: Re: vpn
Next by thread: multiple queues per domain under sendmail
Index(es):
- Date
- Thread

Visit your host, monkey.org