On Mon, 6 Mar 2000, Jim Linklater wrote:

> >
> > On 6 Mar 00, at 0:14, Andrew Garrett wrote:
> >
> > > The summary from my archives tells me that a) It's not
> > doable. b) it might
> > > be doable, with a firmware upgrade.
> >
> > I want that firmware upgrade.
> >
>
> Well I have tried 5.3 and although it got me over one hurdle there was a
> higher one right behind it. I was able to create an ESP/SSL tunnel without
> a problem the client then tried to talk to the firewall over the secure
> connection and that is as far as we got. The client then tried talking to
> the firewall over the secure connection and as the actual IP Address of the
> firewall was different to what the client thought it was (due to NAT)the
> connection failed.
>
> The response from the supplier was "it won't work over a NAT connection".
> If you are building your own solution you can probably work around this.
>

without haveing DSL to test this i am pretty certain this was the case for
all IPsec based connections - afaik IPsec will not work over any nat'd
device as it checks the packet headers for mangling (security issue) and
if it finds they have been altered (i.e - by a NAT based connection) it
disgards the packets.

what you *may* be able to do however is to setup a basic IP-IP tunnel
(which does work) and then tunnel IPsec via this, not haveing a DSL
connection however (6 days since submitting the form requesting DSL and
STILL no contact from an installer) i am unable to test this theory :)

one wonders however is DSL is actually reliable enough for a VPN type
connection - after the past few outages and the lack of a speedy fix from
telecom i would be hazarding a guess that a weeks long outage of a VPN
would be too long for any business to cope - the ADSL in new zealand just
lacks the reliability unless the company has a backup circuit it can fail
over to.

--
Steve.
To unsubscribe: send mail to majordomo@freebsddiary.cx
with "unsubscribe adsl" in the body of the message