[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Looking for info on ipsec passthrough (or passthru?)



Ok, I am confused... IPsec used ESP or AH packets, not TCP or UDP (they can
be encapsulated of course)

What do you mean by your first paragraph ???

Bill

______________________________________________
Bill Strahm        Programming today is a race between
bill.strahm@      software engineers striving to build
intel.com           bigger and better idiot-proof programs,
(503) 264-4632   and the Universe trying to produce
            bigger and better idiots.  So far, the
                        Universe is winning.--Rich Cook
I am not speaking for Intel.  And Intel rarely speaks for me


> -----Original Message-----
> From: Michel de Koning [mailto:mdkoning@vanenburg.com]
> Sent: Wednesday, August 30, 2000 1:59 PM
> To: 'John C. Day'; Strahm, Bill; ipsec@lists.tislabs.com
> Subject: RE: Looking for info on ipsec passthrough (or passthru?)
> 
> 
> Hi John,
> 
> currently we are testing (playing with) an Altiga / Cisco 3000 vpn
> concentrator. It allows IPsec Passthru Nat. haven't read 
> everything yet, but
> the principle is that is uses UDP instead of TCP for the 
> IPSec packets. As
> soon as we have tested it I will let you know.
> 
> Must say this Altiga box is really great so far, the bad 
> thing is it does
> not support win2000 clients unless you use certificates, this because
> win2000 client does not support mode-config. Cisco says "the 
> altiga client
> for win2000 will ship in october"......
> 
> Usually when cisco buys something you have to wait for 
> version 2 before it
> will really work :-), let's wait and see..
> 
> We had the Altiga up and running with NT4 using PPTP and 
> after that IPSec
> within an afternoon. And this was before reading the 
> documentation! Look at
> it I would say
> 
> 
> Michel
> 
> -----Oorspronkelijk bericht-----
> Van: John C. Day [mailto:JCDay@JCDay.com]
> Verzonden: Wednesday, August 30, 2000 6:03 PM
> Aan: Strahm, Bill; ipsec@lists.tislabs.com
> Onderwerp: RE: Looking for info on ipsec passthrough (or passthru?)
> 
> 
> Thanks for the response, Bill.
> 
> What I'm looking for is something which will enable me to use 
> an IPSec VPN 
> client (Cisco/Altiga) from a privately addressed machine at 
> home which sits 
> behind the Linksys device which in turn is connected to my DSL 
> bridge.   The VPN server sits (or will sit, to be more 
> accurate - it's 
> ordered but not in hand yet) on our corporate DMZ .
> 
> Would you guess this passthru feature enables such a 
> connection?  I.e., it 
> NATs everything other than what it sees on the VPN port?  
> While a hack, 
> that would seem to accomplish what we need.  Is there better 
> way to do 
> it?  Thanks.
> 
> John
> 
> 
> 
> 
> At 08:45 AM 8/30/00, you wrote:
> >Ok, I looked it up and think I know what "passthru" is.
> >
> >Getting IPsec through NAT is a VERY hard problem.  There 
> isn't an easy way
> >of associating (on the wire) that a packet with an SPI of 
> this value needs
> >to be demultiplexed to this destination because a packet 
> with another SPI
> >went through the NAT gateway...
> >
> >Passthru is one way of solving this, basically saying all 
> IPsec traffic
> >flows through the NAT to this 1 destination.
> >
> >Passthru is a hack until something like RSIP becomes a reality.
> >
> >Bill
> >
> >______________________________________________
> >Bill Strahm        Programming today is a race between
> >bill.strahm@      software engineers striving to build
> >intel.com           bigger and better idiot-proof programs,
> >(503) 264-4632   and the Universe trying to produce
> >             bigger and better idiots.  So far, the
> >                         Universe is winning.--Rich Cook
> >I am not speaking for Intel.  And Intel rarely speaks for me
> >
> >
> > > -----Original Message-----
> > > From: John C. Day [mailto:JCDay@JCDay.com]
> > > Sent: Tuesday, August 29, 2000 3:56 PM
> > > To: ipsec@lists.tislabs.com
> > > Subject: Looking for info on ipsec passthrough (or passthru?)
> > >
> > >
> > > Greetings.  I'm poking around looking for information on
> > > "IPSec passthru",
> > > which I saw mentioned on http://www.linksys.com ("Firmware
> > > upgrade - IPSec
> > > passthru now supported").
> > >
> > > I searched the archive files of
> > > ftp://ftp.tis.com/pub/lists/ipsec/ipsec.0001 through 
> ipsec.0008 but I
> > > couldn't locate the string "passthr" anywhere in those.   I
> > > also checked
> > > rfc2401 without success, but I'm guessing it's a feature/spec
> > > that's been
> > > introduced recently.
> > >
> > > Using google I did find a couple of mentions of it in news
> > > groups, but I
> > > wasn't able to locate an rfc or other doc which describes
> > > what it's for and
> > > how it's to be implemented.
> > >
> > > Any pointers?   Thanks.
> > >
> > > John
> > >
> > > --
> > >
> > > John C. Day
> > > Gilroy, CA
> > > http://www.JCDay.com
> > >
> > >
> 
> 
> --
> 
> John C. Day
> Gilroy, CA
> http://www.JCDay.com
>