Re: Questions (Rants?) About IPSEC

From: James F. Hranicky (
Date: 02/07/02

To: Garrett Wollman <>
Date: Thu, 07 Feb 2002 17:18:23 -0500
From: "James F. Hranicky" <>

Garrett Wollman <> wrote:
> > - IPSEC routers have to basically be the border router for
> > a site, as there is no post-decryption NAT protocol to
> > get packets back to a router on the inside of the network
> > (Apparently, Cisco VPN boxes have this capability, but
> > it's an add-on to IPSEC AFAICT).
> IPSEC is designed to thwart processes which corrupt packet headers
> (including NAT).

In my scenario, NAT would occur after decryption, allowing IPSEC routers
to be placed at arbitrary points in the internal net. As I understand it,
CISCO's VPN box does just that.

Thanks for your input.


To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message