From: John A. Sullivan III (John.Sullivan_at_nexusmgmt.com)
Date: Wed Jul 31 2002 - 12:04:18 CEST
Thank you, Andreas. Does that mean that application of Mathieu's NAT-T
patch disables the DHCP-over-IPSec in your patch or does it mean that we
cannot use X.509 certificates at all if we want to us the NAT-T patch? -
John
On Wed, 2002-07-31 at 05:34, Andreas Steffen wrote:
> Version 0.9.14 of the X.509 patch supports (together with a
> DHCP relay agent running on the VPN gateway) the DHCP-over-IPsec
> protocol defined by
>
> http://www.ietf.org/internet-drafts/draft-ietf-ipsec-dhcp-13.txt
>
> Slide 13 of my recent presentation "IPsec-based VPNs"
>
> http://www.strongsec.com/SWITCHmobile_VPN.pdf
>
> shows what DHCP-over-IPsec is all about. The whole protocol is based
> on normal ESP tunnels with restrictions on ports and protocols
> (udp/bootps and udp/bootpc) for the DHCP SA.
>
> NAT-Traversal is quite a different beast. It allows the encapsulation
> of ESP packets in UDP datagrams. You can find details in
>
> UDP Encapsulation of IPsec Packets
> http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-03.txt
>
> and
>
> Negotiation of NAT-Traversal in the IKE
> http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-03.txt
>
> NAT-Traversal is supported by Mathieu Lafon's NAT-T patch. It currently
> cannot be used together with the X.509 patch since we have different
> wildcard models for the Virtual IP ranges for the roadwarriors
> (the X.509 patch uses a rightsubnetwithin= parameter per connection and
> the NAT-T patch uses a global address pool definition).
>
> Kind regards
>
> Andreas
>
> John A. Sullivan III wrote:
> > After reading all the documentation, I am a little confused about the
> > differences between the recent additions to the X.509 patch at
> > www.strongsec.com and the NAT-T patch at open-source.arkoon.net. The
> > X.509 patch appears to enable the DHCP-over-IPSec and I thought it
> > implemented NAT-T but I don't see much about the NAT-T in the docs.
> > Does it do the encapsulation in UDP or is that what the arkoon patch is
> > for? Where does one use one vs. the other? Thanks - John
>
> ======================================================================
> Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
> strongSec GmbH phone: +41 76 340 25 56
> Alter Zürichweg 20 home: http://www.strongsec.com
> CH-8952 Schlieren (Switzerland)
> ==========================================[strong internet security]==
-- John A. Sullivan III Group Technology Director Nexus Management +1 207-985-7880 John.Sullivan_at_nexusmgmt.com_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:34 CEST