Re: ESP over UDP

[Joern Sierwald <joern.sierwald@datafellows.com>]

At 11:26 10.8.1999 -0400, you wrote:
>>>>>> "Joern" == Joern Sierwald <joern.sierwald@datafellows.com> writes:
>
> Joern> At 09:05 10.8.1999 -0400, you wrote:
> >> You've got it backwards -- UDP runs over ESP, not the other way
> >> around.  Although you are correct in saying that ISAKMP runs over
> >> UDP.  That is true.
> >> 
> >> The problem is that you are using IP Masquerade.  You will have
> >> trouble with IPSec across a NAT.  There are a couple of patches
> >> that exist for Linux to try to get IPSec working across the NAT:
> >> 
> >> ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
> >> 
> >> -derek
> >> 
>
> Joern> I need to run IPsec over every available IP masquerading
> Joern> implementation in the world, and therefore I have to send ESP
> Joern> packets as UDP payloads. Trust me, I know what I'm doing. (tm)
>
>Well, yes, but unfortunately ESP just doesn't work that way.  ESP runs 
>over IP, not over UDP.  It's like asking TCP to run over UDP.  It
>doesn't, never has, never will.
>
One informational RFC and ESP runs over UDP, or TCP runs over UDP.
No problem. I hacked the "ESP over UDP" into our implemention and
it survives the usual masquerading boxes like FW-1 (NAT method "hide").
I am just asking if other people do this as well and if there is a
port number (private area 49152 through 65535?). 

>You could, I suppose, run ESP inside an L2TP tunnel.  Ugh.
>
Ugh. My opinion exactly.

Jörn Sierwald

---

References:

• ESP over UDP
• From: Joern Sierwald <joern.sierwald@datafellows.com>
• Re: ESP over UDP
• From: Derek Atkins <warlord@MIT.EDU>
• Re: ESP over UDP
• From: Joern Sierwald <joern.sierwald@datafellows.com>

---

• Prev by Date: Re: ESP over UDP
• Next by Date: Re: ESP over UDP
• Prev by thread: Re: ESP over UDP
• Next by thread: Re: ESP over UDP
• Index(es):
  • Main
  • Thread