[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Looking for info on ipsec passthrough (or passthru?)
Ok, I am confused... IPsec used ESP or AH packets, not TCP or UDP (they can
be encapsulated of course)
What do you mean by your first paragraph ???
Bill Strahm Programming today is a race between
bill.strahm@ software engineers striving to build
intel.com bigger and better idiot-proof programs,
(503) 264-4632 and the Universe trying to produce
bigger and better idiots. So far, the
Universe is winning.--Rich Cook
I am not speaking for Intel. And Intel rarely speaks for me
> -----Original Message-----
> From: Michel de Koning [mailto:firstname.lastname@example.org]
> Sent: Wednesday, August 30, 2000 1:59 PM
> To: 'John C. Day'; Strahm, Bill; email@example.com
> Subject: RE: Looking for info on ipsec passthrough (or passthru?)
> Hi John,
> currently we are testing (playing with) an Altiga / Cisco 3000 vpn
> concentrator. It allows IPsec Passthru Nat. haven't read
> everything yet, but
> the principle is that is uses UDP instead of TCP for the
> IPSec packets. As
> soon as we have tested it I will let you know.
> Must say this Altiga box is really great so far, the bad
> thing is it does
> not support win2000 clients unless you use certificates, this because
> win2000 client does not support mode-config. Cisco says "the
> altiga client
> for win2000 will ship in october"......
> Usually when cisco buys something you have to wait for
> version 2 before it
> will really work :-), let's wait and see..
> We had the Altiga up and running with NT4 using PPTP and
> after that IPSec
> within an afternoon. And this was before reading the
> documentation! Look at
> it I would say
> -----Oorspronkelijk bericht-----
> Van: John C. Day [mailto:JCDay@JCDay.com]
> Verzonden: Wednesday, August 30, 2000 6:03 PM
> Aan: Strahm, Bill; firstname.lastname@example.org
> Onderwerp: RE: Looking for info on ipsec passthrough (or passthru?)
> Thanks for the response, Bill.
> What I'm looking for is something which will enable me to use
> an IPSec VPN
> client (Cisco/Altiga) from a privately addressed machine at
> home which sits
> behind the Linksys device which in turn is connected to my DSL
> bridge. The VPN server sits (or will sit, to be more
> accurate - it's
> ordered but not in hand yet) on our corporate DMZ .
> Would you guess this passthru feature enables such a
> connection? I.e., it
> NATs everything other than what it sees on the VPN port?
> While a hack,
> that would seem to accomplish what we need. Is there better
> way to do
> it? Thanks.
> At 08:45 AM 8/30/00, you wrote:
> >Ok, I looked it up and think I know what "passthru" is.
> >Getting IPsec through NAT is a VERY hard problem. There
> isn't an easy way
> >of associating (on the wire) that a packet with an SPI of
> this value needs
> >to be demultiplexed to this destination because a packet
> with another SPI
> >went through the NAT gateway...
> >Passthru is one way of solving this, basically saying all
> IPsec traffic
> >flows through the NAT to this 1 destination.
> >Passthru is a hack until something like RSIP becomes a reality.
> >Bill Strahm Programming today is a race between
> >bill.strahm@ software engineers striving to build
> >intel.com bigger and better idiot-proof programs,
> >(503) 264-4632 and the Universe trying to produce
> > bigger and better idiots. So far, the
> > Universe is winning.--Rich Cook
> >I am not speaking for Intel. And Intel rarely speaks for me
> > > -----Original Message-----
> > > From: John C. Day [mailto:JCDay@JCDay.com]
> > > Sent: Tuesday, August 29, 2000 3:56 PM
> > > To: email@example.com
> > > Subject: Looking for info on ipsec passthrough (or passthru?)
> > >
> > >
> > > Greetings. I'm poking around looking for information on
> > > "IPSec passthru",
> > > which I saw mentioned on http://www.linksys.com ("Firmware
> > > upgrade - IPSec
> > > passthru now supported").
> > >
> > > I searched the archive files of
> > > ftp://ftp.tis.com/pub/lists/ipsec/ipsec.0001 through
> ipsec.0008 but I
> > > couldn't locate the string "passthr" anywhere in those. I
> > > also checked
> > > rfc2401 without success, but I'm guessing it's a feature/spec
> > > that's been
> > > introduced recently.
> > >
> > > Using google I did find a couple of mentions of it in news
> > > groups, but I
> > > wasn't able to locate an rfc or other doc which describes
> > > what it's for and
> > > how it's to be implemented.
> > >
> > > Any pointers? Thanks.
> > >
> > > John
> > >
> > > --
> > >
> > > John C. Day
> > > Gilroy, CA
> > > http://www.JCDay.com
> > >
> > >
> John C. Day
> Gilroy, CA