Re: IPSec Transport Mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Rainer Arnst wrote:

When you do NAT, you alter IP source and/or destination. But TCP
checksum includes IP addresses, which means you have to recompute it on
the fly when NATing. Anf for it is ciphered, you can't.



Unfortuneately I have to find a way to make the transport mode work; we
were using NAT-T, which worked fine, but now I am looking for another
solution which does not require the VPN Gateway to support NAT-T.


If you are using NAT-T for outbound IPSEC connections, open udp port 500 and 4500 and source nat them. Just do not load any "smart VPN proxy" that would alter other parts of the UDP, the simplest udp NAT will do the trick.

Greetings,
Rainer





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux