/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
It is indeed a Nortel Contivity box. I didn't think that the contivity
client used AH, but maybe it is so. I'll have to check the Nortel web site,
and with my administrator.
Thanks,
Warner Sterling
-----Original Message-----
From: David Ranch [mailto:[EMAIL PROTECTED]]
Sent: Sunday, June 17, 2001 3:35 AM
To: Warner S. Sterling; [EMAIL PROTECTED]
Subject: Re: [Masq] setting up Nortel IPSec client on Win 98 via linux
2.2.14 (Redhat)
>Are there any known bugs or fixes that I'm not aware of?
What kind of IPSEC server are you trying to connect to?
Is it a Nortel Contivity box? If so, (as I understand it) there
is NO way to get a working Nortel IPSEC tunnel running behind
ANY form of a NAT system.
Intro:
Basically, there two kinds of IPSEC VPNS out there.
ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
(towards the bottom)
--
The IPsec AH protocol (51/ip) incorporates a cryptographic checksum
including
the IP addresses in the IP header. Since masquerading changes those IP
addresses and since the cryptographic checksum cannot be recalculated by the
masquerading firewall, the masqueraded packets will fail the checksum test
and
will be discarded by the remote IPsec gateway. Therefore, IPsec VPNs that
use
the AH protocol cannot be successfully masqueraded. Sorry. (ESP with
authentication can be masqueraded.)
--
From my understanding, the Contivity box does NOT support ESP-only
mode. The feature request is ALREADY in and they have told customers
that the feature is coming but I don't know when. Check with your
admin and see what he/she says.
--David
.---------------------------------------------------------------------------
-.
| David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]
|
!---- ---
-!
`----- For more detailed info, see
http://www.ecst.csuchico.edu/~dranch -----'
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
