>
> On 6 Mar 00, at 0:14, Andrew Garrett wrote:
>
> > The summary from my archives tells me that a) It's not
> doable. b) it might
> > be doable, with a firmware upgrade.
>
> I want that firmware upgrade.
>
Well I have tried 5.3 and although it got me over one hurdle there was a
higher one right behind it. I was able to create an ESP/SSL tunnel without
a problem the client then tried to talk to the firewall over the secure
connection and that is as far as we got. The client then tried talking to
the firewall over the secure connection and as the actual IP Address of the
firewall was different to what the client thought it was (due to NAT)the
connection failed.
The response from the supplier was "it won't work over a NAT connection".
If you are building your own solution you can probably work around this.
> > c) telecom have a solution of their
> > own, possibly, coming soon.
>
> Mention has been made that a Telecom solution is unsuitable for two
> reasons:
>
> 1 - you have to trust their solution (this isn't a comment on
> Telecom, it's
> a comment on trusting someone else for your encryption/security/etc.
> As opposed to trusting source code you can view and compile first).
>
> 2 - presumably if you're getting someone else's solution you
> have to pay
> extra for it.
>
>From what I have heard the solution is more of a private network using DSL
as the access. This is a good idea and I can see plenty of uses for it. It
does not however negate the need for real "VPN" capability. Re #1 I agree
but if you can't put together your own solution you have to trust someone
and it comes down to cost. #2 I'm still waiting for that free lunch...
> I have IPSec sitting here ready to talk to someone. The source code
> used to do this is freely available and I trust it. It costs
> me nothing but
> my time to implement it. It's a solution which can be cheaply and
> efficiently used. If only my M10 would open up it's widdle self.
>
I hope you have more luck than me.
> I and many others on this list are perfectly willing and able
> to face the
> big bad world. I say the M10 needs to be configurable such
> that all and
> any protocols are passed through. Let our firewalls deal
> with it. That's
> what we have them for.
>
> I fully agree that the M10s must be delivered in a certain
> "locked-down"
> state to cater for the users who cannot or do not use a
> firewall. But for
> the rest of us, we know the implications of opening ourselves up and,
> damn it [hand slaps desk for effect], we want it! <grin>
>
> What problems need to be overcome before the above suggestions can
> be achieved? What can we do to expedite the solutions?
Having a choice of access options would be nice - obviously a NAT service is
very suitable for alot of people and works fine but it is obvious that one
size doesn't fit all. We could still go back to a F/R of DDS service but at
10X the cost it is not a viable option.
>
> > And, I'd like to thank everyone, for the outpourings of
> sympathy which I
> > can feel, from you all, even before I push send.
>
> OK, at 9:03 monday morning, everyone send Andrew a group sigh (but
> dont cc the list, thanks).
> --
> Dan Langille - DVL Software Limited [I'm looking for more work]
> http://www.dvl-software.com/ | http://www.unixathome.org/
> http://www.racingsystem.com/ | http://www.freebsddiary.org/
>
> To unsubscribe: send mail to majordomo@freebsddiary.cx
> with "unsubscribe adsl" in the body of the message
>
To unsubscribe: send mail to majordomo@freebsddiary.cx
with "unsubscribe adsl" in the body of the message
Received on Mon Mar 6 09:30:59 2000