AH is not offering encryption. I never saw it in use.

For me is not clear. Who is doing nat? As I said in a previous mail if the
VPN endpoint is behind nat the only thing you have to forward to it is udp
500 and 4500.

-----
Sincerely / Cu stimă,
Alin Gruiescu
Tel: +40 7711 03172


On Sun, May 18, 2014 at 4:53 PM, masoom alam <masoom.a...@gmail.com> wrote:

> An illustrative guide to ipsec (
> http://www.unixwiz.net/techtips/iguide-ipsec.html) read as:
> AH and NAT — Not Gonna Happen
>
> Though AH provides very strong protection of a packet's contents because
> it covers *everything* that can be possibly considered immutable, this
> protection comes at a cost: AH is incompatible with NAT (Network Address
> Translation).
>
> NAT is used to map a range of private addresses (say, 192.168.1.X) to and
> from a (usually) smaller set of public address, thereby reducing the demand
> for routable, public IP space. In this process, the IP header is actually
> modified on the fly by the NAT device to change the source and/or
> destination IP address.
>
>
> If NAT device for example Ubuntu configured as Iptables firewall, cannot
> read the packet's internals how can it forward the ipsec packet to the
> correct source/destination? I am confused here. please guide.
>
> Secondly, Strongswan has support for Nat, is this a distinguishing factor
> or can be achieved via iptables? We r trying to evaluate what we will loose
> if not opt for StrongSwan.
>
>
> Thanks.
>
> from phone thus brief.
> On May 17, 2014 1:18 PM, "Timo Teräs" <timo.te...@iki.fi> wrote:
>
>> On Sat May 17 2014 04:25:49 AM EEST, masoom alam <masoom.a...@gmail.com>
>> wrote:
>>
>> > Another thing that I am looking in to is that what are the pros n cons
>> of
>> > using ipsec-tools with opennhrp than the strongswan. I am aware that
>> > there was some work going on on the API level integration of both
>> > projects. But why we can't use them independently on a single system
>> > because strongswan is essentially a feature rich implementation of
>> > ipsec. Is there some hack available without going getting hands dirty in
>> > the strongswan code? Earlier NAT question was also in the context of
>> > strongswan natting support.
>>
>> No, I did earlier some experiments with this, but the patches are not
>> fully operational.
>>
>> At the time opennhrp was started several years ago, ipsec-tools was the
>> best looking/easiest to integrate with candidate. Though, strongSwan seems
>> to be now superior in almost all aspects; it does have few issues that I
>> dont like. Generally though it seems to be the current best choice. Getting
>> NHRP working with it is a long term goal for me too.
>>
>> Though, I would like to update to dmvpn phase 4 architecture while at it.
>>
>> See also:
>> http://sourceforge.net/p/opennhrp/mailman/message/32271201/
>>
>> So yes thats the direction, but we are not there yet. And no ETA at this
>> time.
>>
>>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> opennhrp-devel mailing list
> opennhrp-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/opennhrp-devel
>
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
opennhrp-devel mailing list
opennhrp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opennhrp-devel

Reply via email to