> -----Original Message-----
> From: [EMAIL PROTECTED]
> To: Greater NH Linux User Group
> Subject: Re: Contivity VPN woes
>
> On Sat, 16 Nov 2002, at 11:15am, [EMAIL PROTECTED] wrote:
> >> Please inform your husband that his firewall
> >> needs to allow outbound UDP port 50 and IP
> >> protocol 500.
>
> {snip}
>
> You also need to allow ESP (Encapsulated Security Payload), which is IP
> protocol 51. ESP encapsulates an IP datagram in another datagram, adding
> authentication and encryption. The authentication is only done on the
> encapsulated datagram, so you can rewrite the outer datagram's header
> without fear of it being rejected.
>
> IP protocol 50 is AH (Authentication Header), which is not compatible with
> NAT. AH adds authentication information to an IP datagram without
> encapsulating it; it provides only authentication, not encryption. Because
> NAT modifies the headers of IP datagrams, it is not compatible with AH.
> Fortunately for you, however, AH is (currently) rarely used.
>
just a point of clarification for when you are setting up your firewall rules,
esp is ip protocol 50 (see rfc 2406) and ah is ip protocol 51 (see rfc 2402).
.... [EMAIL PROTECTED] .... www.alumni.engin.umich.edu/~pcmoore ....
_______________________________________________
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
