Re: Can't set up an IPsec tunnel.
From: Eric Anderson (anderson@centtech.com)
Date: 01/24/02
- Next message: Nate Williams: "Re: Can't set up an IPsec tunnel."
- Previous message: Nate Williams: "Re: Can't set up an IPsec tunnel."
- In reply to: Nate Williams: "Re: Can't set up an IPsec tunnel."
- Next in thread: Nate Williams: "Re: Can't set up an IPsec tunnel."
- Reply: Nate Williams: "Re: Can't set up an IPsec tunnel."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Jan 2002 14:11:53 -0600 From: Eric Anderson <anderson@centtech.com> To: Nate Williams <nate@yogotech.com>
I'm not saying B can modify the data, I'm saying A can't trust C's data, since
it appears to come from B, and C builds it as if it's coming from C, with no
knowledge that B is NAT'ing..
Nate Williams wrote:
>
> > As far as I know, no, because that would be like a "man in the middle" attack (I
> > think). Like this:
> >
> > A <--- B ---> C
> >
> > If A is talking to C via IPSEC, A tells C it's IP (the true IP) and C tells A
> > it's IP (its true IP, behind the masquaraded host), but A sees C as B's IP
> > address. How does it know that C knows that B exists?
>
> It doesn't matter, since B can't read/modify the traffic A or C
> generated.
>
> It can certainly mess with the headers all it wants, but that won't help
> it figure out what is going on.
>
> (Again, this assumes that A & C have authenticated themselves correctly,
> per the IPSEC specification. :)
>
> Nate
>
> > dr3node wrote:
> > >
> > > On Thursday 24 January 2002 21:55, you wrote:
> > > > IPSEC won't work through masquarading boxes or NAT firewalls.
> > > >
> > > > Eric
> > >
> > > is there any way way to cheat?
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> >
> > --
> > ------------------------------------------------------------------
> > Eric Anderson anderson@centtech.com Centaur Technology
> > If at first you don't succeed, sky diving is probably not for you.
> > ------------------------------------------------------------------
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
-- ------------------------------------------------------------------ Eric Anderson anderson@centtech.com Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Next message: Nate Williams: "Re: Can't set up an IPsec tunnel."
- Previous message: Nate Williams: "Re: Can't set up an IPsec tunnel."
- In reply to: Nate Williams: "Re: Can't set up an IPsec tunnel."
- Next in thread: Nate Williams: "Re: Can't set up an IPsec tunnel."
- Reply: Nate Williams: "Re: Can't set up an IPsec tunnel."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
