<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: cipe-l,AT,inka,DOT,de
Subject: Re: Cipe still vulnerable?
From: "Eric M. Hopper" <hopper,AT,omnifarious,DOT,org>
Date: Wed, 23 Feb 2005 09:15:14 -0800
In-reply-to: <1109176786.26992.49.camel@moola.futuresource.com>
Organization: Omnifarious Software
References: <20050223133853.GA15113@killerhippy.de> <1109175862.6165.145.camel@bats.omnifarious.org> <1109176786.26992.49.camel@moola.futuresource.com>

On Wed, 2005-02-23 at 10:39 -0600, Les Mikesell wrote: 
> Is there an easy way to tell if a NAT device is NAT-T compatible? 
> Another alternative is OpenVPN, but it looks much more difficult to
> configure, especially compared to the RedHat releases that included
> CIPE and made it a fill-in-the-form setup.

IPSEC NAT-T just puts the IPSEC packets inside UDP.  By default it uses
port 4500 for the tunneled packets.  And, of course, it uses port 500
for IKE exchanges.  Most NATs tunnel UDP by providing a temporary
mapping that sends the packet back to the originator.

So, NAT-T doesn't work well if both correspondents are behind a NAT, and
neither side can set up any mappings on their NAT, but then again,
neither does CIPE.

Have fun (if at all possible),
-- 
The best we can hope for concerning the people at large is that they
be properly armed.  -- Alexander Hamilton
-- Eric Hopper (hopper,AT,omnifarious,DOT,org  
http://www.omnifarious.org/~hopper) --

Attachment: signature.asc
Description: This is a digitally signed message part


<< | Thread Index | >> ]    [ << | Date Index | >> ]