Re: VPN on 2.4.x kernels
From: A transfinite number of monkeys (jcostom@jasons.org)Date: 01/23/02
- Next message: The Skull: "SYN-cookies & iptables vulnerability"
- Previous message: Steve Collymore: "RH Linux 7.2 iptables"
- In reply to: Cedric Blancher: "Re: VPN on 2.4.x kernels"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: jcostom@jasons.org (A transfinite number of monkeys) Date: Wed, 23 Jan 2002 15:48:03 GMT
In article <slrna4qdqj.oj.blancher@elendil.intranet.cartel-info.fr>,
Cedric Blancher wrote:
: IPSEC filtering : IP protocol 50 (ESP)
: IP protocol 51 (AH)
: UDP source port 500, destination port 500 (ISAKMP)
:
: IPSEC does not like NAT : it only works in tunnel mode, without AH.
: Moreover, you need to play with SPI in ordre to established more than
: one tunnel for your network to the same peer.
OR implement some sort of encapsulation protocol for the ESP traffic.
Many IPSec clients do this: Nokia (IPSec over NAT Working Draft), Check
Point (own proprietary UDP-based encapsulation), Nortel (GRE, IIRC - blech!),
etc.
AH seems just silly, if you ask me. You need that functionality?
Ok, run ESP with null encryption. You get the same benefits AND can
get shot through NAT devices.
--
Jason Costomiris <>< | Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
- Next message: The Skull: "SYN-cookies & iptables vulnerability"
- Previous message: Steve Collymore: "RH Linux 7.2 iptables"
- In reply to: Cedric Blancher: "Re: VPN on 2.4.x kernels"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
