Hello, I've been a lurker on this list for a little while, but I feel like piping up now. Hello everybody.
---- Ben Serebin <[EMAIL PROTECTED]> wrote: > Also, now-a-days, most NATs don't break PPTP or IPSEC, so I don't think you really need to do this, unless this user plans on hosting servers or services on their network. Unfortunately, NAT does break most types of IPSEC because of fundamental differences in design goals. NAT is all about packet mangling. IPSEC is all about packet integrity. Large chunks of IPSEC functionality can't handle this (ie, AH+transport, AH+tunnel, ESP+transport). That said, you are correct that IPSEC might be possible if he is NOT expecting to ever act as a server (ie, he's initiating all the tunnels). Even so, this is only possible by using the ESP-tunnel mode, which means that the internal machine is receiving packets with both the internal NAT address (non-tunnel traffic) and the external address (traffic from the tunnel), and it has to be configure not to be confused by that. In addition, outgoing tunnel negotiation means the internal machine has to have a routable external address it can use. This requires some fairly complicated work (I know this firsthand from work with a Linux Freeswan-based solution), and it's why most IPSEC providers suggest avoiding NAT if possible. In short, I guess my point is that you should follow Ben's advice, avoid NAT if possible and just map a static IP to the other machine. Also, I don't know anything about PPTP. Anybody want to comment? Yours, Jake -- NYCwireless - http://www.nycwireless.net/ Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/ Archives: http://lists.nycwireless.net/pipermail/nycwireless/
