I have been reading that companies like Linksys and D-link sell those cheap home broadband routers that now support IPsec passthru. I take it that means that one of your PC's can use VPN client software to build a IPSec tunnel to a corporate network. So how does this passthru thing work exactly? It would seem to me to violate the cherished notion that NAPT (which is what is performed by these little routers to allow multiple home PC's to access the same broadband link) should never be used after IPsec. More specifically, I take it that most of those VPN client software setups are using ESP transport mode. OK, so how exactly do these routers perform NAPT on an ESP transport connection? I suppose there really is no "port translation" anymore, because the TCP/UDP port number are protected by ESP and cannot be changed without compromising the integrity of the IPSEC tunnel. So perhaps SPI's are used by the router to demux, otherwise then that would imply that there could only be 1 IPsec tunnel going through the router at a given instance (because if SPI's are not used, and you had 2 PC's in your house and both were doing VPN's, then how would the router know what VPN return traffic goes to which PC?). Also I see a problem with the TCP/UDP header checksum, because it is calculated based on the entire header (the "pseudo-header"), which must necessarily change because of the NAT (IP addresses must be changed from private to public addresses). And of course you cannot repair the TCP/UDP checksum because it is protected by ESP. So I take it the corporate VPN terminator must have TCP/UDP checksums turned off, is that true? Am I just way off-base here? Does anybody know what is the real deal with these little routers doing "pass-thru"? Is it just more marketing bull? Thanx in advance Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=9473&t=9473 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
