> -----Original Message-----
> From: Samuel Patton [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 12 February 2001 12:42
> To: Ben Nagy; 'Alan Olsen'
> Cc: [EMAIL PROTECTED]; dsap
> Subject: Re: VPN technology
>
>
> > I still recommend IPSec over PPTP, but I don't rate PPTP as
> unuseable.
> With
> > strong user passwords and for low threat sites I have
> recommended it a few
> > times. PPTP has some good points. It's NATable, for one.
>
> A slight correction. IPSec is also NATable if you are not using the
> Authentication Header (AH).
Um, and if your auth is not based on IP addresses, and if you're not doing
PAT, and if the moon is in Jupiter, preferably waxing.
All-in-all it's Just Wrong to tell people that IPSec can be NAT'ed. If they
can't work out the extremely limited circumstances in which that is true
they'll just get annoyed trying.
Here is a link to the best summary I've seen about this (came up in this
list a while ago):
http://lists.gnac.net/firewalls/mhonarc/firewalls.200003/msg00673.html
If you do some reading in the thread, you'll also see a nice note about
making ESP work with pre-shared secrets through NAT - if you do it then
you're probably opening yourself up to nasty problems since the IPSec
devices aren't requiring the endpoint IP address to match the configured
"owner" IP for the secret (which is bad).
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
