An illustrative guide to ipsec (
http://www.unixwiz.net/techtips/iguide-ipsec.html) read as:
AH and NAT — Not Gonna Happen
Though AH provides very strong protection of a packet's contents because it
covers *everything* that can be possibly considered immutable, this
protection comes at a cost: AH is incompatible with NAT (Network Address
Translation).
NAT is used to map a range of private addresses (say, 192.168.1.X) to and
from a (usually) smaller set of public address, thereby reducing the demand
for routable, public IP space. In this process, the IP header is actually
modified on the fly by the NAT device to change the source and/or
destination IP address.
If NAT device for example Ubuntu configured as Iptables firewall, cannot
read the packet's internals how can it forward the ipsec packet to the
correct source/destination? I am confused here. please guide.
Secondly, Strongswan has support for Nat, is this a distinguishing factor
or can be achieved via iptables? We r trying to evaluate what we will loose
if not opt for StrongSwan.
Thanks.
from phone thus brief.
On May 17, 2014 1:18 PM, "Timo Teräs" <timo.te...@iki.fi> wrote:
> On Sat May 17 2014 04:25:49 AM EEST, masoom alam <masoom.a...@gmail.com>
> wrote:
>
> > Another thing that I am looking in to is that what are the pros n cons of
> > using ipsec-tools with opennhrp than the strongswan. I am aware that
> > there was some work going on on the API level integration of both
> > projects. But why we can't use them independently on a single system
> > because strongswan is essentially a feature rich implementation of
> > ipsec. Is there some hack available without going getting hands dirty in
> > the strongswan code? Earlier NAT question was also in the context of
> > strongswan natting support.
>
> No, I did earlier some experiments with this, but the patches are not
> fully operational.
>
> At the time opennhrp was started several years ago, ipsec-tools was the
> best looking/easiest to integrate with candidate. Though, strongSwan seems
> to be now superior in almost all aspects; it does have few issues that I
> dont like. Generally though it seems to be the current best choice. Getting
> NHRP working with it is a long term goal for me too.
>
> Though, I would like to update to dmvpn phase 4 architecture while at it.
>
> See also:
> http://sourceforge.net/p/opennhrp/mailman/message/32271201/
>
> So yes thats the direction, but we are not there yet. And no ETA at this
> time.
>
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
opennhrp-devel mailing list
opennhrp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opennhrp-devel
