[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ESP over UDP



-----BEGIN PGP SIGNED MESSAGE-----

> At 09:05 10.8.1999 -0400, you wrote:
> >You've got it backwards -- UDP runs over ESP, not the
> >other way around.  Although you are correct in saying that
> >ISAKMP runs over UDP.  That is true.
> >
> >The problem is that you are using IP Masquerade.  You will have
> >trouble with IPSec across a NAT.  There are a couple of patches
> >that exist for Linux to try to get IPSec working across the NAT:
> >
> >ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
> >
> >-derek
> 
> I need to run IPsec over every available IP masquerading 
> implementation in the world, and therefore I have to send
> ESP packets as UDP payloads. Trust me, I know what I'm doing. (tm)

What you might try doing is ESP inside AH, for which the patch above
may work, I'm not crazy about it....  I understood what you were
trying to do when you first posted and thought this was a clever
workaround.  The only problem is that udp connections time out, so you
would have to do port forwarding, statically, or possibly NAT.
Masquerading IPSEC is frought with frustration.

I don't see why it wouldn't work, but I suspect you will have to code
it yourself.

> Jörn

	slainte mhath, RGB
- -- 
The first Ottawa Linux Symposium was a huge success! <ottawalinuxsymposium.org>
This SunRayce was a wet one!  DroughtRelief_99? -- <www.sunrayce.com/sunrayce/>
Richard Guy Briggs -- PGP key available                Auto-Free Ottawa! Canada
<http://www.conscoop.ottawa.on.ca/rgb/>                   </www.flora.org/afo/>
Prevent Internet Wiretapping!       --      FreeS/WAN:<www.xs4all.nl/~freeswan>
Thanks for voting Green! -- <green.ca>          Marillion:<www.marillion.co.uk>

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBN7A+K9+sBuIhFagtAQEReAP/bRxot0yanIt0KeMBXvfv9Xz/mip2Vc7j
QttOX+FidV0lDBLp/mvIoE+zIQ5CZos5rQ87KhRa59CLTvYdzp7MII2IAl090OEt
dq2v7Km0U/V7JOXMfkXiT4Ryy+I7nKGBU6nh/rtOsi3FqaAiF/FLuiiwlvV2k+JA
MzQieYi0cak=
=adMy
-----END PGP SIGNATURE-----


References: