SPAM Re: [Users] NAT Traversal patch confusion

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Wed Jul 31 2002 - 12:19:01 CEST

Next message: Andreas Steffen: "Re: [Users] NAT Traversal patch confusion"
Previous message: John A. Sullivan III: "Re: [Users] NAT Traversal patch confusion"
In reply to: John A. Sullivan III: "Re: [Users] NAT Traversal patch confusion"
Next in thread: John A. Sullivan III: "Re: [Users] NAT Traversal patch confusion"
Reply: John A. Sullivan III: "Re: [Users] NAT Traversal patch confusion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (5.3 hits, 5 required)
SPAM: DOUBLE_CAPSWORD (1.1 points) BODY: A word in all caps repeated on the line
SPAM: MIME_EXCESSIVE_QP (2.4 points) RAW: Excessive quoted-printable encoding in body
SPAM: NO_MX_FOR_FROM (1.8 points) No MX records for the From: domain
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------

It just means that the NAT-T patch cannot be successfully applied
after the X.509 patch since one or several hunks will fail due to=20
the[right/left]subnetwithin feature introduced by the X.509 patch.

Andreas

John A. Sullivan III wrote:
> Thank you, Andreas. Does that mean that application of Mathieu's NAT-T
> patch disables the DHCP-over-IPSec in your patch or does it mean that w=
e
> cannot use X.509 certificates at all if we want to us the NAT-T patch? =
-
> John
>=20
> On Wed, 2002-07-31 at 05:34, Andreas Steffen wrote:
>=20
>>Version 0.9.14 of the X.509 patch supports (together with a
>>DHCP relay agent running on the VPN gateway) the DHCP-over-IPsec
>>protocol defined by
>>
>> http://www.ietf.org/internet-drafts/draft-ietf-ipsec-dhcp-13.txt
>>
>>Slide 13 of my recent presentation "IPsec-based VPNs"
>>
>> http://www.strongsec.com/SWITCHmobile_VPN.pdf
>>
>>shows what DHCP-over-IPsec is all about. The whole protocol is based
>>on normal ESP tunnels with restrictions on ports and protocols
>>(udp/bootps and udp/bootpc) for the DHCP SA.
>>
>>NAT-Traversal is quite a different beast. It allows the encapsulation
>>of ESP packets in UDP datagrams. You can find details in
>>
>>UDP Encapsulation of IPsec Packets
>>http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-03.txt
>>
>>and
>>
>>Negotiation of NAT-Traversal in the IKE
>>http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-03.txt
>>
>>NAT-Traversal is supported by Mathieu Lafon's NAT-T patch. It currently
>>cannot be used together with the X.509 patch since we have different
>>wildcard models for the Virtual IP ranges for the roadwarriors
>>(the X.509 patch uses a rightsubnetwithin=3D parameter per connection a=
nd
>>the NAT-T patch uses a global address pool definition).
>>
>>Kind regards
>>
>>Andreas
>>
>>John A. Sullivan III wrote:
>>
>>>After reading all the documentation, I am a little confused about the
>>>differences between the recent additions to the X.509 patch at
>>>www.strongsec.com and the NAT-T patch at open-source.arkoon.net. The
>>>X.509 patch appears to enable the DHCP-over-IPSec and I thought it
>>>implemented NAT-T but I don't see much about the NAT-T in the docs.=20
>>>Does it do the encapsulation in UDP or is that what the arkoon patch i=
s
>>>for? Where does one use one vs. the other? Thanks - John
>>
>>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
>>strongSec GmbH phone: +41 76 340 25 56
>>Alter Z=FCrichweg 20 home: http://www.strongsec.com
>>CH-8952 Schlieren (Switzerland)
>>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[strong internet se=
curity]=3D=3D
>=20

--=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Z=FCrichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[strong internet secur=
ity]=3D=3D

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Andreas Steffen: "Re: [Users] NAT Traversal patch confusion"
Previous message: John A. Sullivan III: "Re: [Users] NAT Traversal patch confusion"
In reply to: John A. Sullivan III: "Re: [Users] NAT Traversal patch confusion"
Next in thread: John A. Sullivan III: "Re: [Users] NAT Traversal patch confusion"
Reply: John A. Sullivan III: "Re: [Users] NAT Traversal patch confusion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:34 CEST

*****SPAM***** Re: [Users] NAT Traversal patch confusion

SPAM Re: [Users] NAT Traversal patch confusion