On Sat, 16 Nov 2002, at 11:15am, [EMAIL PROTECTED] wrote: >> Please inform your husband that his firewall >> needs to allow outbound UDP port 50 and IP >> protocol 500.
That is incorrect in at least one way, and likely two. Most likely, your wife's IT department is using IPsec with IKE and ESP. If so: You need to allow IKE (Internet Key Exchange), which is UDP port 500. IKE is used to automatically setup the IPsec SA (Security Associations). An IPsec SA can be thought of as an IPsec "session". You also need to allow ESP (Encapsulated Security Payload), which is IP protocol 51. ESP encapsulates an IP datagram in another datagram, adding authentication and encryption. The authentication is only done on the encapsulated datagram, so you can rewrite the outer datagram's header without fear of it being rejected. IP protocol 50 is AH (Authentication Header), which is not compatible with NAT. AH adds authentication information to an IP datagram without encapsulating it; it provides only authentication, not encryption. Because NAT modifies the headers of IP datagrams, it is not compatible with AH. Fortunately for you, however, AH is (currently) rarely used. Note that an IP protocol is below the level of UDP or TCP. TCP is IP protocol 6, and UDP is IP protocol 17, for example. > If he is doing NAT, then there needs to be a way to let an IPsec tunnel > through without manipulating the packet. Not possible. NAT, by definition, modifies the packet header. Fortunately for you, I suspect your wife's employer's IT guy does not really understand what he is talking about. (This is less fortunate for your wife's employer.) > Is my firewall scrogging us? Yes, but that is likely easily fixed. What distribution and release are you running? What version of the Linux kernel? What kind of firewall (IPCHAINS, IPTABLES)? Where did the firewall com from (with the distribution, third-party, do-it-yourself)? -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss