From: John A. Sullivan III (John.Sullivan_at_nexusmgmt.com)
Date: Wed Jul 31 2002 - 14:00:55 CEST
Sure - I'll give it a run through it's paces if you'd like. Is that for
1.98 or 1.98b? - John
On Wed, 2002-07-31 at 08:01, mlafon_at_arkoon.net wrote:
>
>
>
> That's right, NAT-T 0.2 patch currently only works with Free/SWAN 1.97
> and X.509 0.9.10. I plan to release NAT-T 0.3 during August that will
> not have this limitations.
>
> If you prefer i can also send you an experimental patch for 1.98 and
> X509 0.9.14 but i will not have the time to test it for the moment.
>
> --
> Mathieu Lafon - Arkoon Network Security
>
>
>
>
>
>
>
>
> Andreas Steffen <andreas.steffen_at_strongsec.net> le 31/07/2002 12:19:01
>
> Pour : "John A. Sullivan III" <John.Sullivan_at_nexusmgmt.com>
> cc : users_at_lists.freeswan.org (ccc : Mathieu Lafon/Arkoon)
>
> Objet : Re: [Users] NAT Traversal patch confusion
>
>
>
> ----
>
>
>
> It just means that the NAT-T patch cannot be successfully applied
> after the X.509 patch since one or several hunks will fail due to
> the[right/left]subnetwithin feature introduced by the X.509 patch.
>
> Andreas
>
> John A. Sullivan III wrote:
> > Thank you, Andreas. Does that mean that application of Mathieu's NAT-T
> > patch disables the DHCP-over-IPSec in your patch or does it mean that we
> > cannot use X.509 certificates at all if we want to us the NAT-T patch? -
> > John
> >
> > On Wed, 2002-07-31 at 05:34, Andreas Steffen wrote:
> >
> >>Version 0.9.14 of the X.509 patch supports (together with a
> >>DHCP relay agent running on the VPN gateway) the DHCP-over-IPsec
> >>protocol defined by
> >>
> >> http://www.ietf.org/internet-drafts/draft-ietf-ipsec-dhcp-13.txt
> >>
> >>Slide 13 of my recent presentation "IPsec-based VPNs"
> >>
> >> http://www.strongsec.com/SWITCHmobile_VPN.pdf
> >>
> >>shows what DHCP-over-IPsec is all about. The whole protocol is based
> >>on normal ESP tunnels with restrictions on ports and protocols
> >>(udp/bootps and udp/bootpc) for the DHCP SA.
> >>
> >>NAT-Traversal is quite a different beast. It allows the encapsulation
> >>of ESP packets in UDP datagrams. You can find details in
> >>
> >>UDP Encapsulation of IPsec Packets
> >>http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-03.txt
> >>
> >>and
> >>
> >>Negotiation of NAT-Traversal in the IKE
> >>http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-03.txt
> >>
> >>NAT-Traversal is supported by Mathieu Lafon's NAT-T patch. It currently
> >>cannot be used together with the X.509 patch since we have different
> >>wildcard models for the Virtual IP ranges for the roadwarriors
> >>(the X.509 patch uses a rightsubnetwithin= parameter per connection and
> >>the NAT-T patch uses a global address pool definition).
> >>
> >>Kind regards
> >>
> >>Andreas
> >>
> >>John A. Sullivan III wrote:
> >>
> >>>After reading all the documentation, I am a little confused about the
> >>>differences between the recent additions to the X.509 patch at
> >>>www.strongsec.com and the NAT-T patch at open-source.arkoon.net. The
> >>>X.509 patch appears to enable the DHCP-over-IPSec and I thought it
> >>>implemented NAT-T but I don't see much about the NAT-T in the docs.
> >>>Does it do the encapsulation in UDP or is that what the arkoon patch is
> >>>for? Where does one use one vs. the other? Thanks - John
> >>
> >>======================================================================
> >>Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
> >>strongSec GmbH phone: +41 76 340 25 56
> >>Alter Zürichweg 20 home: http://www.strongsec.com
> >>CH-8952 Schlieren (Switzerland)
> >>==========================================[strong internet security]==
> >
>
>
> --
> ======================================================================
> Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
> strongSec GmbH phone: +41 76 340 25 56
> Alter Zürichweg 20 home: http://www.strongsec.com
> CH-8952 Schlieren (Switzerland)
> ==========================================[strong internet security]==
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
>
>
-- John A. Sullivan III Group Technology Director Nexus Management +1 207-985-7880 John.Sullivan_at_nexusmgmt.com_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:34 CEST