Masoom, ipsec with NAT is handled via NAT-T specification. Your question
really is more fundamental to general how IPSec works as oppose to openNHRP
which is the focus of this list. My suggestion would be to practice setting up
basic point-to-point IPSec over NAT first and get that working. Once you have
that in place adding openNHRP is relatively simple.
Sent from my iPhone
> On May 18, 2014, at 9:53 AM, masoom alam <masoom.a...@gmail.com> wrote:
>
> An illustrative guide to ipsec
> (http://www.unixwiz.net/techtips/iguide-ipsec.html) read as:
>
> AH and NAT — Not Gonna Happen
> Though AH provides very strong protection of a packet's contents because it
> covers everything that can be possibly considered immutable, this protection
> comes at a cost: AH is incompatible with NAT (Network Address Translation).
> NAT is used to map a range of private addresses (say, 192.168.1.X) to and
> from a (usually) smaller set of public address, thereby reducing the demand
> for routable, public IP space. In this process, the IP header is actually
> modified on the fly by the NAT device to change the source and/or destination
> IP address.
>
>
> If NAT device for example Ubuntu configured as Iptables firewall, cannot read
> the packet's internals how can it forward the ipsec packet to the correct
> source/destination? I am confused here. please guide.
>
> Secondly, Strongswan has support for Nat, is this a distinguishing factor or
> can be achieved via iptables? We r trying to evaluate what we will loose if
> not opt for StrongSwan.
>
>
>
> Thanks.
>
> from phone thus brief.
>
>> On May 17, 2014 1:18 PM, "Timo Teräs" <timo.te...@iki.fi> wrote:
>> On Sat May 17 2014 04:25:49 AM EEST, masoom alam <masoom.a...@gmail.com>
>> wrote:
>>
>> > Another thing that I am looking in to is that what are the pros n cons of
>> > using ipsec-tools with opennhrp than the strongswan. I am aware that
>> > there was some work going on on the API level integration of both
>> > projects. But why we can't use them independently on a single system
>> > because strongswan is essentially a feature rich implementation of
>> > ipsec. Is there some hack available without going getting hands dirty in
>> > the strongswan code? Earlier NAT question was also in the context of
>> > strongswan natting support.
>>
>> No, I did earlier some experiments with this, but the patches are not fully
>> operational.
>>
>> At the time opennhrp was started several years ago, ipsec-tools was the best
>> looking/easiest to integrate with candidate. Though, strongSwan seems to be
>> now superior in almost all aspects; it does have few issues that I dont
>> like. Generally though it seems to be the current best choice. Getting NHRP
>> working with it is a long term goal for me too.
>>
>> Though, I would like to update to dmvpn phase 4 architecture while at it.
>>
>> See also:
>> http://sourceforge.net/p/opennhrp/mailman/message/32271201/
>>
>> So yes thats the direction, but we are not there yet. And no ETA at this
>> time.
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
opennhrp-devel mailing list
opennhrp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opennhrp-devel
