[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Looking for info on ipsec passthrough (or passthru?)

Hi John,

currently we are testing (playing with) an Altiga / Cisco 3000 vpn
concentrator. It allows IPsec Passthru Nat. haven't read everything yet, but
the principle is that is uses UDP instead of TCP for the IPSec packets. As
soon as we have tested it I will let you know.

Must say this Altiga box is really great so far, the bad thing is it does
not support win2000 clients unless you use certificates, this because
win2000 client does not support mode-config. Cisco says "the altiga client
for win2000 will ship in october"......

Usually when cisco buys something you have to wait for version 2 before it
will really work :-), let's wait and see..

We had the Altiga up and running with NT4 using PPTP and after that IPSec
within an afternoon. And this was before reading the documentation! Look at
it I would say


-----Oorspronkelijk bericht-----
Van: John C. Day [mailto:JCDay@JCDay.com]
Verzonden: Wednesday, August 30, 2000 6:03 PM
Aan: Strahm, Bill; ipsec@lists.tislabs.com
Onderwerp: RE: Looking for info on ipsec passthrough (or passthru?)

Thanks for the response, Bill.

What I'm looking for is something which will enable me to use an IPSec VPN 
client (Cisco/Altiga) from a privately addressed machine at home which sits 
behind the Linksys device which in turn is connected to my DSL 
bridge.   The VPN server sits (or will sit, to be more accurate - it's 
ordered but not in hand yet) on our corporate DMZ .

Would you guess this passthru feature enables such a connection?  I.e., it 
NATs everything other than what it sees on the VPN port?  While a hack, 
that would seem to accomplish what we need.  Is there better way to do 
it?  Thanks.


At 08:45 AM 8/30/00, you wrote:
>Ok, I looked it up and think I know what "passthru" is.
>Getting IPsec through NAT is a VERY hard problem.  There isn't an easy way
>of associating (on the wire) that a packet with an SPI of this value needs
>to be demultiplexed to this destination because a packet with another SPI
>went through the NAT gateway...
>Passthru is one way of solving this, basically saying all IPsec traffic
>flows through the NAT to this 1 destination.
>Passthru is a hack until something like RSIP becomes a reality.
>Bill Strahm        Programming today is a race between
>bill.strahm@      software engineers striving to build
>intel.com           bigger and better idiot-proof programs,
>(503) 264-4632   and the Universe trying to produce
>             bigger and better idiots.  So far, the
>                         Universe is winning.--Rich Cook
>I am not speaking for Intel.  And Intel rarely speaks for me
> > -----Original Message-----
> > From: John C. Day [mailto:JCDay@JCDay.com]
> > Sent: Tuesday, August 29, 2000 3:56 PM
> > To: ipsec@lists.tislabs.com
> > Subject: Looking for info on ipsec passthrough (or passthru?)
> >
> >
> > Greetings.  I'm poking around looking for information on
> > "IPSec passthru",
> > which I saw mentioned on http://www.linksys.com ("Firmware
> > upgrade - IPSec
> > passthru now supported").
> >
> > I searched the archive files of
> > ftp://ftp.tis.com/pub/lists/ipsec/ipsec.0001 through ipsec.0008 but I
> > couldn't locate the string "passthr" anywhere in those.   I
> > also checked
> > rfc2401 without success, but I'm guessing it's a feature/spec
> > that's been
> > introduced recently.
> >
> > Using google I did find a couple of mentions of it in news
> > groups, but I
> > wasn't able to locate an rfc or other doc which describes
> > what it's for and
> > how it's to be implemented.
> >
> > Any pointers?   Thanks.
> >
> > John
> >
> > --
> >
> > John C. Day
> > Gilroy, CA
> > http://www.JCDay.com
> >
> >


John C. Day
Gilroy, CA