[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Looking for info on ipsec passthrough (or passthru?)



Bill,

It's an Altiga / Cisco propietary solution. Check out the link to the pdf.

Some information about it is in 12-11 of this user guide.



Kind Regards,


Michel de Koning
Tel:     +31 341 37 5427
Fax:     +31 341 37 5433
Mobile:  +31 651 44 68 51
E-mail:  mdkoning@vanenburg.com


-----Original Message-----
From: Strahm, Bill [mailto:bill.strahm@intel.com]
Sent: Thursday, August 31, 2000 5:57 PM
To: 'Michel de Koning'; 'John C. Day'; Strahm, Bill;
ipsec@lists.tislabs.com
Subject: RE: Looking for info on ipsec passthrough (or passthru?)


Ok, I am confused... IPsec used ESP or AH packets, not TCP or UDP (they can
be encapsulated of course)

What do you mean by your first paragraph ???

Bill

______________________________________________
Bill Strahm        Programming today is a race between
bill.strahm@      software engineers striving to build
intel.com           bigger and better idiot-proof programs,
(503) 264-4632   and the Universe trying to produce
            bigger and better idiots.  So far, the
                        Universe is winning.--Rich Cook
I am not speaking for Intel.  And Intel rarely speaks for me


> -----Original Message-----
> From: Michel de Koning [mailto:mdkoning@vanenburg.com]
> Sent: Wednesday, August 30, 2000 1:59 PM
> To: 'John C. Day'; Strahm, Bill; ipsec@lists.tislabs.com
> Subject: RE: Looking for info on ipsec passthrough (or passthru?)
> 
> 
> Hi John,
> 
> currently we are testing (playing with) an Altiga / Cisco 3000 vpn
> concentrator. It allows IPsec Passthru Nat. haven't read 
> everything yet, but
> the principle is that is uses UDP instead of TCP for the 
> IPSec packets. As
> soon as we have tested it I will let you know.
> 
> Must say this Altiga box is really great so far, the bad 
> thing is it does
> not support win2000 clients unless you use certificates, this because
> win2000 client does not support mode-config. Cisco says "the 
> altiga client
> for win2000 will ship in october"......
> 
> Usually when cisco buys something you have to wait for 
> version 2 before it
> will really work :-), let's wait and see..
> 
> We had the Altiga up and running with NT4 using PPTP and 
> after that IPSec
> within an afternoon. And this was before reading the 
> documentation! Look at
> it I would say
> 
> 
> Michel
> 
> -----Oorspronkelijk bericht-----
> Van: John C. Day [mailto:JCDay@JCDay.com]
> Verzonden: Wednesday, August 30, 2000 6:03 PM
> Aan: Strahm, Bill; ipsec@lists.tislabs.com
> Onderwerp: RE: Looking for info on ipsec passthrough (or passthru?)
> 
> 
> Thanks for the response, Bill.
> 
> What I'm looking for is something which will enable me to use 
> an IPSec VPN 
> client (Cisco/Altiga) from a privately addressed machine at 
> home which sits 
> behind the Linksys device which in turn is connected to my DSL 
> bridge.   The VPN server sits (or will sit, to be more 
> accurate - it's 
> ordered but not in hand yet) on our corporate DMZ .
> 
> Would you guess this passthru feature enables such a 
> connection?  I.e., it 
> NATs everything other than what it sees on the VPN port?  
> While a hack, 
> that would seem to accomplish what we need.  Is there better 
> way to do 
> it?  Thanks.
> 
> John
> 
> 
> 
> 
> At 08:45 AM 8/30/00, you wrote:
> >Ok, I looked it up and think I know what "passthru" is.
> >
> >Getting IPsec through NAT is a VERY hard problem.  There 
> isn't an easy way
> >of associating (on the wire) that a packet with an SPI of 
> this value needs
> >to be demultiplexed to this destination because a packet 
> with another SPI
> >went through the NAT gateway...
> >
> >Passthru is one way of solving this, basically saying all 
> IPsec traffic
> >flows through the NAT to this 1 destination.
> >
> >Passthru is a hack until something like RSIP becomes a reality.
> >
> >Bill
> >
> >______________________________________________
> >Bill Strahm        Programming today is a race between
> >bill.strahm@      software engineers striving to build
> >intel.com           bigger and better idiot-proof programs,
> >(503) 264-4632   and the Universe trying to produce
> >             bigger and better idiots.  So far, the
> >                         Universe is winning.--Rich Cook
> >I am not speaking for Intel.  And Intel rarely speaks for me
> >
> >
> > > -----Original Message-----
> > > From: John C. Day [mailto:JCDay@JCDay.com]
> > > Sent: Tuesday, August 29, 2000 3:56 PM
> > > To: ipsec@lists.tislabs.com
> > > Subject: Looking for info on ipsec passthrough (or passthru?)
> > >
> > >
> > > Greetings.  I'm poking around looking for information on
> > > "IPSec passthru",
> > > which I saw mentioned on http://www.linksys.com ("Firmware
> > > upgrade - IPSec
> > > passthru now supported").
> > >
> > > I searched the archive files of
> > > ftp://ftp.tis.com/pub/lists/ipsec/ipsec.0001 through 
> ipsec.0008 but I
> > > couldn't locate the string "passthr" anywhere in those.   I
> > > also checked
> > > rfc2401 without success, but I'm guessing it's a feature/spec
> > > that's been
> > > introduced recently.
> > >
> > > Using google I did find a couple of mentions of it in news
> > > groups, but I
> > > wasn't able to locate an rfc or other doc which describes
> > > what it's for and
> > > how it's to be implemented.
> > >
> > > Any pointers?   Thanks.
> > >
> > > John
> > >
> > > --
> > >
> > > John C. Day
> > > Gilroy, CA
> > > http://www.JCDay.com
> > >
> > >
> 
> 
> --
> 
> John C. Day
> Gilroy, CA
> http://www.JCDay.com
> 



The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error.

VPN