RE: [LUAU] VPN
Google "rfc stun". It explains different types of NAT and how to detect them. Some are friendly to VOIP and some are not... --- Brian Chee <[EMAIL PROTECTED]> wrote: > We also need to keep in mind that NAT according to > the RFC has been > implemented loosely by many vendors. NAT on the > el'cheapo firewalls is NOT a > full implementation like that in Linux. True NAT > must keep track of state so > that things like VOIP and video conferencing can get > a reply back to their > ack messages when the session is setup. SIP is > especially sensitive to such > things (thusly why Vonage is being eaten alive by > tech support calls) and > why firewall vendors are struggling to do a full > implementation that also > keeps track of state. RTCP used for things like > H.323 video conferencing and > many SIP implementations MUST have a reply back on > session setup or you get > weird things like calls that ring forever on the > caller side, but never ring > answer on the destination. > > NATD (aka masquerading) is supposed to be a fuller > implementation, but so > far results have been mixed. I'm trying to find > enough time to get some > different firewalls built to utilize the VOIP test > gear coming in for my > july IP-PBX shootout for Infoworld...I'm especially > interested in seeing how > well the new versions of NATD work as well as Zebra. > GateD has sold out and > is no longer open source...MITRE corp seems to want > a serious pound of flesh > for what started out opensource. > > So while this wasn't very helpful (sorry), but I did > want to point out that > many folks are considering VOIP and video > conferencing while they mumble > under their breath about NAT...and unless you take > care, you may find both > leaving you feeling unsatisfied > > /brian chee > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Vince Hoang > Sent: Tuesday, June 01, 2004 9:40 PM > To: Linux/Unix Advocates/Users Hawaiian community > discussion list > Subject: Re: [LUAU] VPN > > On Fri, May 28, 2004 at 08:58:33PM -1000, Randall > Oshita wrote: > > But I was just wondering if port translation is > the same as > > port redirection. Is it safe to say that the nat > daemon does > > port translation as well as address. > > Maybe. I tried natd 5 years ago. It did what I > needed it to do at > the time, but I quickly moved to ipf as soon as I > had the chance. > If you need help with it, contact me offlist. > > > If so then NAT = NAPT. Wonder why lots of ppl use > it in > > different context. > > NAPT? My googling mentions NAPT as a means to > translate IPV4 to IPV6. > > I generally see NAT and masquerading/overloading/PAT > referred to > collectively as NAT. > > -Vince > ___ > LUAU@lists.hosef.org mailing list > http://lists.hosef.org/cgi-bin/mailman/listinfo/luau > > ___ > LUAU@lists.hosef.org mailing list > http://lists.hosef.org/cgi-bin/mailman/listinfo/luau __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/
RE: [LUAU] VPN
We also need to keep in mind that NAT according to the RFC has been implemented loosely by many vendors. NAT on the el'cheapo firewalls is NOT a full implementation like that in Linux. True NAT must keep track of state so that things like VOIP and video conferencing can get a reply back to their ack messages when the session is setup. SIP is especially sensitive to such things (thusly why Vonage is being eaten alive by tech support calls) and why firewall vendors are struggling to do a full implementation that also keeps track of state. RTCP used for things like H.323 video conferencing and many SIP implementations MUST have a reply back on session setup or you get weird things like calls that ring forever on the caller side, but never ring answer on the destination. NATD (aka masquerading) is supposed to be a fuller implementation, but so far results have been mixed. I'm trying to find enough time to get some different firewalls built to utilize the VOIP test gear coming in for my july IP-PBX shootout for Infoworld...I'm especially interested in seeing how well the new versions of NATD work as well as Zebra. GateD has sold out and is no longer open source...MITRE corp seems to want a serious pound of flesh for what started out opensource. So while this wasn't very helpful (sorry), but I did want to point out that many folks are considering VOIP and video conferencing while they mumble under their breath about NAT...and unless you take care, you may find both leaving you feeling unsatisfied /brian chee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vince Hoang Sent: Tuesday, June 01, 2004 9:40 PM To: Linux/Unix Advocates/Users Hawaiian community discussion list Subject: Re: [LUAU] VPN On Fri, May 28, 2004 at 08:58:33PM -1000, Randall Oshita wrote: > But I was just wondering if port translation is the same as > port redirection. Is it safe to say that the nat daemon does > port translation as well as address. Maybe. I tried natd 5 years ago. It did what I needed it to do at the time, but I quickly moved to ipf as soon as I had the chance. If you need help with it, contact me offlist. > If so then NAT = NAPT. Wonder why lots of ppl use it in > different context. NAPT? My googling mentions NAPT as a means to translate IPV4 to IPV6. I generally see NAT and masquerading/overloading/PAT referred to collectively as NAT. -Vince ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] VPN
On Fri, May 28, 2004 at 08:58:33PM -1000, Randall Oshita wrote: > But I was just wondering if port translation is the same as > port redirection. Is it safe to say that the nat daemon does > port translation as well as address. Maybe. I tried natd 5 years ago. It did what I needed it to do at the time, but I quickly moved to ipf as soon as I had the chance. If you need help with it, contact me offlist. > If so then NAT = NAPT. Wonder why lots of ppl use it in > different context. NAPT? My googling mentions NAPT as a means to translate IPV4 to IPV6. I generally see NAT and masquerading/overloading/PAT referred to collectively as NAT. -Vince
RE: [LUAU] VPN
>>Did you try the man pages? >> >>man natd# search for -redirect_address >>man 5 ipnat # search for bimap Yes, actually. But I was just wondering if port translation is the same as port redirection. Is it safe to say that the nat daemon does port translation as well as address. If so then NAT = NAPT. Wonder why lots of ppl use it in different context. Thanks. Randall
Re: [LUAU] VPN
On Fri, May 28, 2004 at 04:47:57PM -1000, [EMAIL PROTECTED] wrote: > Anyone know if FreeBSD's NATd is considered a Network Address > and Port Translation device (NAPT). Nice to know people are still using FreeBSD. You might consider joining freebsd-questions. It is high traffic, but you can snarf good clues once in a while. > -multiple VPN clients from same IP- Surfed the net like a mutha > and i think i got some ideas to make this work. Did you try the man pages? man natd# search for -redirect_address man 5 ipnat # search for bimap -Vince
Re: [LUAU] VPN
Anyone know if FreeBSD's NATd is considered a Network Address and Port Translation device (NAPT). - I believe NAPT is different than NAT because it translates the port as well. I know IPFilter and NATd allows for port redirects, does that count? -dosen't sound like. OR know of any good ports that does NAPT? -multiple VPN clients from same IP- Surfed the net like a mutha and i think i got some ideas to make this work. Thanks. Randall
Re: [LUAU] VPN
On Wed, May 26, 2004 at 03:01:30PM -1000, [EMAIL PROTECTED] wrote: > So basically, i need to buy more WAN IPs huh? Well, you need a device that supports one-to-one NAT if you decide to take that approach. -Vince
Re: [LUAU] VPN
> Add more routable addresses into the fray or switch to a > site-to-site VPN. Those approaches are known to work. > So basically, i need to buy more WAN IPs huh? thanks. Randall
Re: [LUAU] VPN
On Mon, May 24, 2004 at 08:40:03PM -0600, Paul wrote: > I may be wrong, but I would think that would work fine. Each > user would have the same source IP address, but different > source ports (>1024) via NAT. Anyone else know? IPSEC headers do not have the concept of a port, so it cannot be translated. -Vince
Re: [LUAU] VPN
On Mon, May 24, 2004 at 01:49:10PM -1000, [EMAIL PROTECTED] wrote: > Is it possible to have multiple vpn clients to connect to the > same vpn concentrator if the clients are using a NAT behind the > same WAN IP? I heard about NAT-T but is there other ways? ESP > with Cisco devices? I believe NAT traversal was added to allow a single IPSEC session to a single destination behind a NAT. Before that, you could not use IPSEC with NAT. Add more routable addresses into the fray or switch to a site-to-site VPN. Those approaches are known to work. -Vince
Re: [LUAU] VPN
I may be wrong, but I would think that would work fine. Each user would have the same source IP address, but different source ports (>1024) via NAT. Anyone else know? Paul -- Hosted by CyberAddict (http://www.cyberaddict.net) On May 24, 2004, at 5:49 PM, [EMAIL PROTECTED] wrote: Is it possible to have multiple vpn clients to connect to the same vpn concentrator if the clients are using a NAT behind the same WAN IP? I heard about NAT-T but is there other ways? ESP with Cisco devices? Thanks. Randall ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
