Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.freeswan.org > 1999-winter > 99 > 010019.html (Request Expert lists.freeswan.org Support)

Re: linux-ipsec: IPSec Masquerade

From: Michael Richardson <mcr(at)solidum.com>
Date: Thu Jan 14 1999 - 14:23:41 EST

>>>>> "John" == John D Hardin <jhardin@wolfenet.com> writes: 

    John> I've recently been asked to look into support for IP Masquerade for
    John> the IPSec protocols. From my reading of IPSec books, IETF drafts and
    John> the freeswan materials it only looks like this is possible for the ESP
    John> protocol, as there's a cryptographic checksum across the IP addresses
    John> in AH packets.

  This is partly correct.
  You clearly can not easily support more than one host behind the NAT box. You also are not permitted to change the SPI values. The best thing that you could do would be to go to the NAT WG and read the drafts on Host-NAT and Distributed-NAT.

    John> And the important question if nobody has done this yet: for a given     John> session, is the same SPI used in ESP packets in both directions? If

  No. The SPIs are also required to be random, and are protected by a cryptographic checksum.
  In addition, NAT will not work with ISAKMP (pluto/dwight) without a lot of policy tweaks. Look at Host-NAT instead. That would be a *major* value add for Linux-Ipsec over other implementations.

   :!mcr!: | Solidum Systems Corporation, http://www.solidum.com    Michael Richardson |For a better connected world,where data flows faster<tm>  Personal: mcr@sandelman.ottawa.on.ca. PGP key available.  Corporate: <A HREF="mailto:mcr@solidum.com">mcr@solidum.com</A>. Received on Thu Jan 14 15:04:23 1999

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:29 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library