[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: vpn
this is interesting - theoretically i can't see why ESP ipsec wouldn't work
through nat, i agree.
but the couple of times I've tried it hasn't worked.
Can anyone shed any light on this?
Surely even IKE would work if you used non-IP identifiers with aggressive
mode?
... it is odd because so many people do say "it doesn't work" with such
conviction.
(hence the judicious use of the word 'generally' doesn't work when people
ask me)
tariq
-----Original Message-----
From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org]On Behalf Of
Richard Welty
Sent: 13 February 2002 14:51
To: misc@openbsd.org
Subject: Re: vpn
On Wed, 13 Feb 2002 14:46:11 -0000 Tariq Rashid <tariq@inty.net> wrote:
> ipsec generally doesn't work with NAT:
>
> http://www.networkcomputing.com/1123/1123ws2.html
you know, this is commonly accepted (i used to say it) but actually, if he
avoids AH and sticks to ESP, there's a fair chance it can be gotten to
work.
AH is generally the sticking point with NAT. ESP doesn't care what you do
with the IP addresses in the packet.
richard
--
Richard Welty rwelty@averillpark.net
Averill Park Networking 518-573-7592
Unix, Linux, IP Network Engineering, Security
intY has automatically scanned this email with Sophos Anti-Virus
(www.inty.net)
intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net)
- Follow-Ups:
- Re: vpn
- From: Hakan Olsson <ho@crt.se>
- Re: vpn
- From: "dreamwvr@dreamwvr.com" <dreamwvr@dreamwvr.com>
- References:
- Re: vpn
- From: Richard Welty <rwelty@averillpark.net>