Hallo,
Sorry to post this piece from another mailing list, but some information
is usefull in context with FreeS/WAN.
- Is it possible to use this "NAT Transparent IPsec" mode together with
FreeS/WAN ?
- If yes, how?
Regards,
Achim Dreyer
-----------------------------------------------------------------------
A. Dreyer, UNIX System Administrator and Internet Security Consultant
---------- Forwarded message ----------
Date: Sat, 23 Mar 2002 17:20:51 +1030
From: Ben Nagy <ben_at_iagu.net>
Cc: firewalls_at_lists.gnac.net
Subject: RE: Cisco Client behind Checkpoint FW-1
I've heard it called "NAT Transparent IPSec", which is similar. I can't
meaningfully parse "transparent NAT".
UDP encapsulation takes the "internal" IPSec packet, say with a
192.168.x.x address, bundles it up in a UDP packet, and then sends it.
The NAT devices then do their evil things to the outside layer, but at
the end of all that messing around, the gateway at the other end removes
the UDP shell and looks at the IPSec packet inside. This means that ESP
and AH will both work equally well, since it means that, as far as the
VPN gateway is concerned, no NAT has ever taken place.
So, UDP encapsulation is obviously useful (and in discussion for
addition to the core protocol), but adds considerable packet overhead
and some latency.
Cheers,
-- Ben Nagy Network Security Specialist Mb: +61 414 411 520 PGP Key ID: 0x1A86E304> Is this what I have hear referred to as "transparent NAT" ? > Also thought > that this type of UDP encapsulation only worked with ESP even > still? Maybe > thats a Checkpoint centric perspective though. > > Cliff [...]
_______________________________________________ Firewalls mailing list Firewalls_at_lists.gnac.net http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:46 CEST