On Thursday 2008-05-29 13:53, Sarge Gorden wrote: >If the VPN server or client doesn't support NAT-T. >Then multiple hosts behind a single NAT address couldn't >simultaneously establish and maintain tunnels to the multiple exterior >hosts. >Only one host could establish... > >But if both side support NAT-T, it works. (This is called udpencap in Linux.) That is the commonly-raised problem with NAT. (Suggestion: abandon NAT, get an IPv6 address.) It is just not possible to have a conntracking ALG because when people designed ESP, they did so in a way that makes it virtually impossible to track it. ESP is unidirectional, which is quite bad since connection tracking uses a (source-information,destination-information) tuple. But ok, we could live with an unidirectional ESP *if* we knew the SPI it uses, but IKE was designed in a way so as to encrypt the SPIs used for the ESP stream, giving no way of knowing them beforehand. It is a perfect example of how to shoot oneself in the foot, multiple times. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
