New Zealand ADSL Mailing List


RE: IPSec, Nokia MP10.

From: Jim Linklater <Jim.Linklater_at_dtsl.co.nz>
Date: Mon, 6 Mar 2000 10:19:44 +1300
Message-ID: <D3231F6B7F53D31191C80000C056E4E307C3B7@WGTNES>

>
> On Mon, 6 Mar 2000, Jim Linklater wrote:
>
> > >
> > > On 6 Mar 00, at 0:14, Andrew Garrett wrote:
> > >
> > > > The summary from my archives tells me that a) It's not
> > > doable. b) it might
> > > > be doable, with a firmware upgrade.
> > >
> > > I want that firmware upgrade.
> > >
> >
> > Well I have tried 5.3 and although it got me over one
> hurdle there was a
> > higher one right behind it. I was able to create an
> ESP/SSL tunnel without
> > a problem the client then tried to talk to the firewall
> over the secure
> > connection and that is as far as we got. The client then
> tried talking to
> > the firewall over the secure connection and as the actual
> IP Address of the
> > firewall was different to what the client thought it was
> (due to NAT)the
> > connection failed.
> >
> > The response from the supplier was "it won't work over a
> NAT connection".
> > If you are building your own solution you can probably work
> around this.
> >
>
> without haveing DSL to test this i am pretty certain this was
> the case for
> all IPsec based connections - afaik IPsec will not work over any nat'd
> device as it checks the packet headers for mangling (security
> issue) and
> if it finds they have been altered (i.e - by a NAT based
> connection) it
> disgards the packets.
>
> what you *may* be able to do however is to setup a basic IP-IP tunnel
> (which does work) and then tunnel IPsec via this, not haveing a DSL
> connection however (6 days since submitting the form
> requesting DSL and
> STILL no contact from an installer) i am unable to test this theory :)

I guess this would work OK but you may get into some problems with the
client software under Win95 using the wrong adapter etc. It does however
add some more hardware/software to the loop and this is not really
acceptable for my situation.

>
> one wonders however is DSL is actually reliable enough for a VPN type
> connection - after the past few outages and the lack of a
> speedy fix from
> telecom i would be hazarding a guess that a weeks long outage of a VPN
> would be too long for any business to cope - the ADSL in new
> zealand just
> lacks the reliability unless the company has a backup circuit
> it can fail
> over to.
>

I agree that the service is not proving to be reliable but from what I can
see the reliability is not with the DSL or access portion but rather the
RANs and authentication. Both of these components are common to most remote
access services. There is no reason that I can see for DSL to be more
unreliable than other technologies. If you are running business critical
applications you should have some redundancy/contingency regardless of the
technology.

Jim

> --
> Steve.
>
>
> To unsubscribe: send mail to majordomo@freebsddiary.cx
> with "unsubscribe adsl" in the body of the message
>

To unsubscribe: send mail to majordomo@freebsddiary.cx
with "unsubscribe adsl" in the body of the message
Received on Mon Mar 6 10:22:22 2000


This archive was generated by hypermail 2.2.0 : Thu Nov 30 11:48:03 2006 EST