[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ESP over UDP
-----BEGIN PGP SIGNED MESSAGE-----
> At 09:05 10.8.1999 -0400, you wrote:
> >You've got it backwards -- UDP runs over ESP, not the
> >other way around. Although you are correct in saying that
> >ISAKMP runs over UDP. That is true.
> >
> >The problem is that you are using IP Masquerade. You will have
> >trouble with IPSec across a NAT. There are a couple of patches
> >that exist for Linux to try to get IPSec working across the NAT:
> >
> >ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
> >
> >-derek
>
> I need to run IPsec over every available IP masquerading
> implementation in the world, and therefore I have to send
> ESP packets as UDP payloads. Trust me, I know what I'm doing. (tm)
What you might try doing is ESP inside AH, for which the patch above
may work, I'm not crazy about it.... I understood what you were
trying to do when you first posted and thought this was a clever
workaround. The only problem is that udp connections time out, so you
would have to do port forwarding, statically, or possibly NAT.
Masquerading IPSEC is frought with frustration.
I don't see why it wouldn't work, but I suspect you will have to code
it yourself.
> Jörn
slainte mhath, RGB
- --
The first Ottawa Linux Symposium was a huge success! <ottawalinuxsymposium.org>
This SunRayce was a wet one! DroughtRelief_99? -- <www.sunrayce.com/sunrayce/>
Richard Guy Briggs -- PGP key available Auto-Free Ottawa! Canada
<http://www.conscoop.ottawa.on.ca/rgb/> </www.flora.org/afo/>
Prevent Internet Wiretapping! -- FreeS/WAN:<www.xs4all.nl/~freeswan>
Thanks for voting Green! -- <green.ca> Marillion:<www.marillion.co.uk>
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBN7A+K9+sBuIhFagtAQEReAP/bRxot0yanIt0KeMBXvfv9Xz/mip2Vc7j
QttOX+FidV0lDBLp/mvIoE+zIQ5CZos5rQ87KhRa59CLTvYdzp7MII2IAl090OEt
dq2v7Km0U/V7JOXMfkXiT4Ryy+I7nKGBU6nh/rtOsi3FqaAiF/FLuiiwlvV2k+JA
MzQieYi0cak=
=adMy
-----END PGP SIGNATURE-----
References: