[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: vpn

To: Tariq Rashid <tariq@inty.net>
Subject: Re: vpn
From: Hakan Olsson <ho@crt.se>
Date: Wed, 13 Feb 2002 16:24:50 +0100 (MET)
Cc: Richard Welty <rwelty@averillpark.net>, <misc@openbsd.org>

On Wed, 13 Feb 2002, Tariq Rashid wrote:

>  this is interesting - theoretically i can't see why ESP ipsec wouldn't work
> through nat, i agree.
>
>  but the couple of times I've tried it hasn't worked.
>
>  Can anyone shed any light on this?

One quick explanation is this; IPsec is an IP protocol, thus we don't have
a transport level header, meaning no port numbers.

Now, the usual NAT hides many IPs behind one IP. How is this done?
Indeed, by differentiating the session using port numbers.

>  Surely even IKE would work if you used non-IP identifiers with aggressive
> mode?

IKE is a UDP protocol. I haven't tried to NAT it, so I don't know for
sure, but it should work just fine.

/H

--
Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

Follow-Ups:
- Re: vpn
  - From: Richard Welty <rwelty@averillpark.net>
- Re: vpn
  - From: "Marco Brigham" <marco.brigham@oneweb.be>

References:
- Re: vpn
  - From: "Tariq Rashid" <tariq@inty.net>

Prev by Date: LVS under OpenBSD?
Next by Date: Re: [Q] Traffic shaping under 3.0
Prev by thread: Re: vpn
Next by thread: Re: vpn
Index(es):
- Date
- Thread