[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ESP over UDP
At 11:26 10.8.1999 -0400, you wrote:
>>>>>> "Joern" == Joern Sierwald <joern.sierwald@datafellows.com> writes:
>
> Joern> At 09:05 10.8.1999 -0400, you wrote:
> >> You've got it backwards -- UDP runs over ESP, not the other way
> >> around. Although you are correct in saying that ISAKMP runs over
> >> UDP. That is true.
> >>
> >> The problem is that you are using IP Masquerade. You will have
> >> trouble with IPSec across a NAT. There are a couple of patches
> >> that exist for Linux to try to get IPSec working across the NAT:
> >>
> >> ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
> >>
> >> -derek
> >>
>
> Joern> I need to run IPsec over every available IP masquerading
> Joern> implementation in the world, and therefore I have to send ESP
> Joern> packets as UDP payloads. Trust me, I know what I'm doing. (tm)
>
>Well, yes, but unfortunately ESP just doesn't work that way. ESP runs
>over IP, not over UDP. It's like asking TCP to run over UDP. It
>doesn't, never has, never will.
>
One informational RFC and ESP runs over UDP, or TCP runs over UDP.
No problem. I hacked the "ESP over UDP" into our implemention and
it survives the usual masquerading boxes like FW-1 (NAT method "hide").
I am just asking if other people do this as well and if there is a
port number (private area 49152 through 65535?).
>You could, I suppose, run ESP inside an L2TP tunnel. Ugh.
>
Ugh. My opinion exactly.
Jörn Sierwald
References: