On Wed, 2002-10-16 at 20:20, Naman Latif wrote: > I am not sure, if Solaris supports it. If I remember correctly, using > IPSec in "Transport" mode instead of "Tunnel", would only Encrypt the > Payload and not the Packet Header. However you will then have to make
With esp transport mode, the original header of the IP packet is not placed in the encrypted payload. But you will not see the complementing part to the ip header that makes up TCP, or UDP. It is encrypted and part of the payload. So the question whether to use transport or tunnel mode is irrelevant, here. > sure that the addresses in the Header Field are Public and Routable > through Internet. > > Regards \\ Naman > > > > -----Original Message----- > > From: Zep [mailto:zep@;nemesis.mmind.net] > > Sent: Tuesday, October 15, 2002 10:06 AM > > To: [EMAIL PROTECTED] > > Subject: IPsec problems/ideas. > > [snip] > > > > I've been poking at ipsec for this, because (from what > > I've read), I can seamlessly poke it into the conversation > > and all is encrypted. and I can configure it to just encrypt > > the traffic that I'm worried about. > > > > The problem that I'm running into is that since IPsec > > encrypts the TCP header, so the firewall can't see that it's > > traffic bound for > > port X and thus should be allowed. Hiding tcp information is exactly what IPSec (esp, I assume you need confidential/encrypted traffic and not message integrity only) is made for. To overcome this problem, set up an IPSec gateway just before the firewall so that only unecrypted traffic passes through (assuming you view the internal network behind as confidential/trusted). > > So what I'm looking for is suggestions/ideas/whatever > > of ways around this... I'd like something that acts like > > ipsec but just encrypts the data part of the packet, but > > leaves the rest of the header alone. [snip] regards jordan
