the plan calls for the remotes to be direct on the internet but there's
a risk that someone will want the remote behind a NAT firewall. Most NAT
firewalls seem to keep the original port if it doesn't conflict with existing
connections but of course one can't rely on that!
The only alternative to this scheme I could come up with was to put the
original port in plaintext ahead of the cipe payload in the udp packet. It's
not intended to interwork with "standard" cipe installations so that might be
an easier way. And it's NAT safe!
Thanks for your comments.
On Tuesday 17 June 2003 18:06, Eric M. Hopper wrote:
> On Tue, 2003-06-17 at 09:03, Allan Latham wrote:
> > 1. All remote stations will be setup to listen on a udp port just as now.
> > 2. No two remote stations will use the same listen port.
> > 3. All remote stations will send udp packets to the same IP and port.(i.e
> > the real IP of the firewall and whatever port has been forwarded to the
> > cipe box).
> > 4. On the cipe box on the firms network the cipe configuration will be
> > such that each interface listens on localhost on the same udp port as the
> > remote server is listening on.
> > 5. On the cipe box I will run a proxy udp server which looks at the
> > incoming udp packets and forwards them to the udp port on localhost that
> > is the same as the source udp port in the original packet.
> That method is thwarted if the remote stations are behind a NAT, because
> that will scramble the source port. I presume you are aware of this,
> but I brought it up just in case.
> Have fun (if at all possible),