Re: [Users] NAT Traversal patch confusion

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Wed Jul 31 2002 - 11:34:52 CEST

• Next message: Kevin Gerbracht: "[Users] still no x.509 enabled IPSEC-Red-Hat RPMS ??"
• Previous message: Mario Strasser: "Re: [Users] DHCP over IPSEC implemented?"
• In reply to: John A. Sullivan III: "[Users] NAT Traversal patch confusion"
• Next in thread: John A. Sullivan III: "Re: [Users] NAT Traversal patch confusion"
• Reply: John A. Sullivan III: "Re: [Users] NAT Traversal patch confusion"
• Reply: Markus Koellner: "Re: [Users] NAT Traversal patch confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Version 0.9.14 of the X.509 patch supports (together with a
DHCP relay agent running on the VPN gateway) the DHCP-over-IPsec
protocol defined by

   http://www.ietf.org/internet-drafts/draft-ietf-ipsec-dhcp-13.txt

Slide 13 of my recent presentation "IPsec-based VPNs"

  http://www.strongsec.com/SWITCHmobile_VPN.pdf

shows what DHCP-over-IPsec is all about. The whole protocol is based
on normal ESP tunnels with restrictions on ports and protocols
(udp/bootps and udp/bootpc) for the DHCP SA.

NAT-Traversal is quite a different beast. It allows the encapsulation
of ESP packets in UDP datagrams. You can find details in

UDP Encapsulation of IPsec Packets
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-03.txt

and

Negotiation of NAT-Traversal in the IKE
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-03.txt

NAT-Traversal is supported by Mathieu Lafon's NAT-T patch. It currently
cannot be used together with the X.509 patch since we have different
wildcard models for the Virtual IP ranges for the roadwarriors
(the X.509 patch uses a rightsubnetwithin= parameter per connection and
the NAT-T patch uses a global address pool definition).

Kind regards

Andreas

John A. Sullivan III wrote:
> After reading all the documentation, I am a little confused about the
> differences between the recent additions to the X.509 patch at
> www.strongsec.com and the NAT-T patch at open-source.arkoon.net. The
> X.509 patch appears to enable the DHCP-over-IPSec and I thought it
> implemented NAT-T but I don't see much about the NAT-T in the docs.
> Does it do the encapsulation in UDP or is that what the arkoon patch is
> for? Where does one use one vs. the other? Thanks - John

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Kevin Gerbracht: "[Users] still no x.509 enabled IPSEC-Red-Hat RPMS ??"
• Previous message: Mario Strasser: "Re: [Users] DHCP over IPSEC implemented?"
• In reply to: John A. Sullivan III: "[Users] NAT Traversal patch confusion"
• Next in thread: John A. Sullivan III: "Re: [Users] NAT Traversal patch confusion"
• Reply: John A. Sullivan III: "Re: [Users] NAT Traversal patch confusion"
• Reply: Markus Koellner: "Re: [Users] NAT Traversal patch confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:34 CEST