Traditional IPSEC uses IP protocols 50 and 51, and udp/500, correct? My
thought was that if Charter blocks certain TCP/UDP ports, then they
might also block IP protocols other than 1, 6 or 17. That would make
IPSEC impossible, which was my concern. Newer implementations of IPSEC
re-encapsulate the entire IPSEC packet in another transport session to
avoid NAT entanglements, in which case you can configure your particular
implementation to use ports > 1024, but that does not apply to us. We
use old-school IPSEC.
--Eric
-----Original Message-----
From: Todd A. Jacobs [SMTP:[EMAIL PROTECTED]
Sent: Thursday, December 18, 2003 10:05 AM
To: Eric Robinson
Cc: [EMAIL PROTECTED]
Subject: Re: [RLUG] Charter and VPNs
On Thu, 18 Dec 2003, Eric Robinson wrote:
> connectivity is okay for my application, then is there a
problem running
> a gateway-to-gateway IPSEC tunnel on consumer-grade Charter
service? How
> thorough is Charter's packet filtering?
Yes. IPSEC usually doesn't have any impact on what ports are
used. Even in
ESP mode, the source/destination ports are usually unchanged.
You might be
able to find an implementation that changes this behavior, but
it would be
non-standard, and would certainly break the AH protocol.
You might be better off investigating stunnel or cipe. Cipe in
particular
will allow you to tunnel over a specified port, so you can set
it above
1024 to bypass the filters Charter uses.
Again, note that this is a non-standard methodology, so you will
need to
do this with Linux boxen, and not with an industry-standard
appliance. It
should work well enough for what you've described, but it may
politically
be a hot potato in your environment. YMMV.
--
Todd's "Customer Disservice Hall of Shame" currently contains:
- Charter Communications: Mislead their customers about
services,
and block Internet connectivity.
- AT&T: Honoring the "checks" they send out to entice you to
switch
long-distance providers is apparently optional.
- eFax: Receive (not send) 20 pages of *unsolicited* faxes,
and lose
your account.
DISCLAIMER: This e-mail is intended solely for the above-mentioned recipient and it
may contain confidential or privileged information. If you have received it in error,
please notify us immediately at 775-885-2211 and delete the e-mail. You must not copy,
distribute, disclose or take any action in reliance on it.
This e-mail message and any attached files have been scanned for the presence of
computer viruses. However, you are advised that you open any attachments at your own
risk.
_______________________________________________
RLUG mailing list
[EMAIL PROTECTED]
http://www.rlug.org/mailman/listinfo/rlug
