On 10/18/05, Bill Marquette <[EMAIL PROTECTED]> wrote:
Maybe I explained myself not very well: ipsec natively do not permit to bypass NAT gateway. So few solutions have been adopted, uone of them is NAT-T (that is, ipsec over UDP). I do not mean that it is pfsense that must do this: generally it is the OS ipsec implementation that takes it into account (during the very fist exchanges between the thwo parties, and so on).
I only would like to know if racoon (I think racoon is the one that manage ipsec VPNs) uses NAT-T or another mechanism for bypassing NAT limitation...
Sorry
Tom
On 10/18/05, Tommaso Di Donato <[EMAIL PROTECTED]> wrote:
> Mmmh, sounds very strange.. IPsec NAT-T usually is achieved as IPsec over
> UDP..
> (http://wiki.openswan.org/index.php/Firewalls)
> ...and from what I know, Cisco VPN is using exaclty this.
>
> What kind of implementation is currently used?
>
> Please, could someone check if pfSense is really encapsulating over
> 4500/UDP, or smthg different?
pfSense isn't encapsulating anything, that's the job of the client.
In this case it sounds like the client needed some extra config to do
NAT-T correctly.
Maybe I explained myself not very well: ipsec natively do not permit to bypass NAT gateway. So few solutions have been adopted, uone of them is NAT-T (that is, ipsec over UDP). I do not mean that it is pfsense that must do this: generally it is the OS ipsec implementation that takes it into account (during the very fist exchanges between the thwo parties, and so on).
I only would like to know if racoon (I think racoon is the one that manage ipsec VPNs) uses NAT-T or another mechanism for bypassing NAT limitation...
Sorry
Tom
