>
> How are you establishing sessions? Manual keying: will generally
> work (but is so insecure you're wasting your time) IKE: might
> possibly work.
>
> What IKE authentication are you using? Pre-shared secrets: won't ever
> work. Raw public keys: won't ever work. Certificates: might
> possibly work.
OK, most of the rest made perfect sense, but you lost me here. Why will NAT
break IKE?
As long as your endpoints have entries for the NAT'ed IP Address of the peer
and whatever auth criteria they need, shouldn't it Just Work? There's no IP
address info communicated as part of inside of the IKE packets, AFAIK?
The other thing that confused me was why ESP should work in Tunnel mode but
not Transport mode. All host implementations will be using transport mode,
neh? There's very little difference between them that NAT should care about
- neither of them cover the IP header in their auth section, and the ESP
itself doesn't contain any IP addresses.
>
> (shouldn't this qualify as the most-frequently-asked IPSEC question?)
Yes. ;)
>
> jms
>
>
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
> [EMAIL PROTECTED] http://www.opus1.com/jms Opus One
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
