I've heard it called "NAT Transparent IPSec", which is similar. I can't meaningfully parse "transparent NAT".
UDP encapsulation takes the "internal" IPSec packet, say with a 192.168.x.x address, bundles it up in a UDP packet, and then sends it. The NAT devices then do their evil things to the outside layer, but at the end of all that messing around, the gateway at the other end removes the UDP shell and looks at the IPSec packet inside. This means that ESP and AH will both work equally well, since it means that, as far as the VPN gateway is concerned, no NAT has ever taken place. So, UDP encapsulation is obviously useful (and in discussion for addition to the core protocol), but adds considerable packet overhead and some latency. Cheers, -- Ben Nagy Network Security Specialist Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Clifford Thurber > Sent: Saturday, March 23, 2002 8:59 AM > To: H. Morrow Long; Josh Welch > Cc: [EMAIL PROTECTED] > Subject: Re: Cisco Client behind Checkpoint FW-1 > > > > Is this what I have hear referred to as "transparent NAT" ? > Also thought > that this type of UDP encapsulation only worked with ESP even > still? Maybe > thats a Checkpoint centric perspective though. > > Cliff [...] _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
