Hosting Provided By

[Users] Re: [Design] mast(4)

From: John S. Denker <jsd(at)monmouth.com>
Date: Fri Mar 14 2003 - 15:07:02 EST

On 03/14/2003 02:34 PM, Jim Carter wrote:

> warrior <-------> NATbox <-----> ipsec-GW <-----> anywhere
> 192.168.0.1/32 4.3.2.1 | 128.97.4.250
> warrior2 <------> NATbox2 <----|
> 192.168.0.1/32 5.6.7.8
>
> >Isn't this just the usual IPsec NAT-traversal situation?

OK, I understand the question now.

This could also be well handled using present-day technology, in tunnel mode.

OTOH if the warriors are too dumb to give themselves distinct private side addresses (also known as virtual IPs) -- perhaps because they are using transport mode -- then you've got a problem.

The technique of letting the IPsec gw arbitrarily impute a private-side address each warrior, as proposed in http://www.monmouth.com/~jsd/vpn/ipsec+routing/mast.htm#sec-transport-pvt

should help a lot, as Jim observed earlier.

Do you need help?

We can call this a "transport-mode private IP address" or "transport-mode virtual IP address".

Users mailing list
Users@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users Received on Fri Mar 14 18:10:23 2003

This message: [ Message body ]
Next message: Brad Hazledine: "[Users] cannot initiate connection without knowing peer IP address"
Previous message: Christoph Haas: "[Users] Tunnel is stuck at STATE_MAIN_I1 after one peer bounced"
In reply to John S. Denker: "[Users] Re: [Design] mast(4)"
Reply: John S. Denker: "[Users] Re: [Design] mast(4)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:00:51 EDT