From: mlafon_at_arkoon.net
Date: Wed Jul 31 2002 - 14:01:46 CEST
That's right, NAT-T 0.2 patch currently only works with Free/SWAN 1.97
and X.509 0.9.10. I plan to release NAT-T 0.3 during August that will
not have this limitations.
If you prefer i can also send you an experimental patch for 1.98 and
X509 0.9.14 but i will not have the time to test it for the moment.
-- Mathieu Lafon - Arkoon Network SecurityAndreas Steffen <andreas.steffen_at_strongsec.net> le 31/07/2002 12:19:01
Pour : "John A. Sullivan III" <John.Sullivan_at_nexusmgmt.com> cc : users_at_lists.freeswan.org (ccc : Mathieu Lafon/Arkoon)
Objet : Re: [Users] NAT Traversal patch confusion
It just means that the NAT-T patch cannot be successfully applied
after the X.509 patch since one or several hunks will fail due to
the[right/left]subnetwithin feature introduced by the X.509 patch.
Andreas
John A. Sullivan III wrote:
> Thank you, Andreas. Does that mean that application of Mathieu's NAT-T
> patch disables the DHCP-over-IPSec in your patch or does it mean that we
> cannot use X.509 certificates at all if we want to us the NAT-T patch? -
> John
>
> On Wed, 2002-07-31 at 05:34, Andreas Steffen wrote:
>
>>Version 0.9.14 of the X.509 patch supports (together with a
>>DHCP relay agent running on the VPN gateway) the DHCP-over-IPsec
>>protocol defined by
>>
>> http://www.ietf.org/internet-drafts/draft-ietf-ipsec-dhcp-13.txt
>>
>>Slide 13 of my recent presentation "IPsec-based VPNs"
>>
>> http://www.strongsec.com/SWITCHmobile_VPN.pdf
>>
>>shows what DHCP-over-IPsec is all about. The whole protocol is based
>>on normal ESP tunnels with restrictions on ports and protocols
>>(udp/bootps and udp/bootpc) for the DHCP SA.
>>
>>NAT-Traversal is quite a different beast. It allows the encapsulation
>>of ESP packets in UDP datagrams. You can find details in
>>
>>UDP Encapsulation of IPsec Packets
>>http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-03.txt
>>
>>and
>>
>>Negotiation of NAT-Traversal in the IKE
>>http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-03.txt
>>
>>NAT-Traversal is supported by Mathieu Lafon's NAT-T patch. It currently
>>cannot be used together with the X.509 patch since we have different
>>wildcard models for the Virtual IP ranges for the roadwarriors
>>(the X.509 patch uses a rightsubnetwithin= parameter per connection and
>>the NAT-T patch uses a global address pool definition).
>>
>>Kind regards
>>
>>Andreas
>>
>>John A. Sullivan III wrote:
>>
>>>After reading all the documentation, I am a little confused about the
>>>differences between the recent additions to the X.509 patch at
>>>www.strongsec.com and the NAT-T patch at open-source.arkoon.net. The
>>>X.509 patch appears to enable the DHCP-over-IPSec and I thought it
>>>implemented NAT-T but I don't see much about the NAT-T in the docs.
>>>Does it do the encapsulation in UDP or is that what the arkoon patch is
>>>for? Where does one use one vs. the other? Thanks - John
>>
>>======================================================================
>>Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
>>strongSec GmbH phone: +41 76 340 25 56
>>Alter Zürichweg 20 home: http://www.strongsec.com
>>CH-8952 Schlieren (Switzerland)
>>==========================================[strong internet security]==
>
-- ====================================================================== Andreas Steffen e-mail: andreas.steffen_at_strongsec.com strongSec GmbH phone: +41 76 340 25 56 Alter Zürichweg 20 home: http://www.strongsec.com CH-8952 Schlieren (Switzerland) ==========================================[strong internet security]==_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:34 CEST