[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Looking for info on ipsec passthrough (or passthru?)

To: "Strahm, Bill" <bill.strahm@intel.com>, ipsec@lists.tislabs.com
Subject: RE: Looking for info on ipsec passthrough (or passthru?)
From: "John C. Day" <JCDay@JCDay.com>
Date: Wed, 30 Aug 2000 09:03:10 -0700
In-Reply-To: <7DAA70BEB463D211AC3E00A0C96B7AB20344B9E8@orsmsx41.jf.intel.com>
Sender: owner-ipsec@lists.tislabs.com

Thanks for the response, Bill.

What I'm looking for is something which will enable me to use an IPSec VPN 
client (Cisco/Altiga) from a privately addressed machine at home which sits 
behind the Linksys device which in turn is connected to my DSL 
bridge.   The VPN server sits (or will sit, to be more accurate - it's 
ordered but not in hand yet) on our corporate DMZ .

Would you guess this passthru feature enables such a connection?  I.e., it 
NATs everything other than what it sees on the VPN port?  While a hack, 
that would seem to accomplish what we need.  Is there better way to do 
it?  Thanks.

John




At 08:45 AM 8/30/00, you wrote:
>Ok, I looked it up and think I know what "passthru" is.
>
>Getting IPsec through NAT is a VERY hard problem.  There isn't an easy way
>of associating (on the wire) that a packet with an SPI of this value needs
>to be demultiplexed to this destination because a packet with another SPI
>went through the NAT gateway...
>
>Passthru is one way of solving this, basically saying all IPsec traffic
>flows through the NAT to this 1 destination.
>
>Passthru is a hack until something like RSIP becomes a reality.
>
>Bill
>
>______________________________________________
>Bill Strahm        Programming today is a race between
>bill.strahm@      software engineers striving to build
>intel.com           bigger and better idiot-proof programs,
>(503) 264-4632   and the Universe trying to produce
>             bigger and better idiots.  So far, the
>                         Universe is winning.--Rich Cook
>I am not speaking for Intel.  And Intel rarely speaks for me
>
>
> > -----Original Message-----
> > From: John C. Day [mailto:JCDay@JCDay.com]
> > Sent: Tuesday, August 29, 2000 3:56 PM
> > To: ipsec@lists.tislabs.com
> > Subject: Looking for info on ipsec passthrough (or passthru?)
> >
> >
> > Greetings.  I'm poking around looking for information on
> > "IPSec passthru",
> > which I saw mentioned on http://www.linksys.com ("Firmware
> > upgrade - IPSec
> > passthru now supported").
> >
> > I searched the archive files of
> > ftp://ftp.tis.com/pub/lists/ipsec/ipsec.0001 through ipsec.0008 but I
> > couldn't locate the string "passthr" anywhere in those.   I
> > also checked
> > rfc2401 without success, but I'm guessing it's a feature/spec
> > that's been
> > introduced recently.
> >
> > Using google I did find a couple of mentions of it in news
> > groups, but I
> > wasn't able to locate an rfc or other doc which describes
> > what it's for and
> > how it's to be implemented.
> >
> > Any pointers?   Thanks.
> >
> > John
> >
> > --
> >
> > John C. Day
> > Gilroy, CA
> > http://www.JCDay.com
> >
> >


--

John C. Day
Gilroy, CA
http://www.JCDay.com

References:

RE: Looking for info on ipsec passthrough (or passthru?)

From: "Strahm, Bill" <bill.strahm@intel.com>

Prev by Date: RE: Looking for info on ipsec passthrough (or passthru?)
Next by Date: RE: Looking for info on ipsec passthrough (or passthru?)
Prev by thread: RE: Looking for info on ipsec passthrough (or passthru?)
Next by thread: Re: Looking for info on ipsec passthrough (or passthru?)
Index(es):
- Main
- Thread