[64037] in North American Network Operators' Group
Re: Block all servers?
daemon@ATHENA.MIT.EDU (Stefan Mink)
Tue Oct 14 17:22:28 2003
Date: Tue, 14 Oct 2003 23:21:49 +0200
From: Stefan Mink <mink@schlund.net>
To: Crist Clark <crist.clark@globalstar.com>
Cc: ken emery <ken@cnet.com>, nanog@merit.edu
In-Reply-To: <3F8C2D61.A3FA0E4E@globalstar.com>
Errors-To: owner-nanog-outgoing@merit.edu
--YiEDa0DAkWCtVeE4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Oct 14, 2003 at 10:07:45AM -0700, Crist Clark wrote:
> > > Yes, it does work, on a small scale. However what if your neighbor
> > > wants to IPSEC to the same place (say you work at the same place).
> > > If both of you are NAT'd from the same IP address trying to IPSEC
> > > to the same IP address? I don't believe things will work in this
> > > instance.
> >=20
> > why not? We use it here, works fine (with certificates for auth).
>=20
> OK, let's do this one more time. Many-to-one NAT of a many-to-one ESP VPN
> does not work. (Period)
I'm doing a shortcut here: I didn't want to say I'm using "pure standard
IPsec" (2401/2409) here. For me extensions like NAT-T or DPD are part
of IPsec too although they are still in the draft state. They just
make IPsec more usable as in this case here...
I know the additional encapsulation isn't a nice thing with NAT-T
but at least it works :] (don't look at L2TP via IPsec if you
don't like additional encapsulations - nevertheless it seems to
be the future of Windows-VPNs :( ).
tschuess
Stefan
--=20
Stefan Mink, Schlund+Partner AG (AS 8560)
Primary key fingerprint: 389E 5DC9 751F A6EB B974 DC3F 7A1B CF62 F0D4 D2BA
--YiEDa0DAkWCtVeE4
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/jGjsehvPYvDU0roRAtv2AJwOqb9BW4VDsf4O6u7hPbzW96h17wCdFIP1
obRRecNmdlyNTb/SoRxsr7o=
=MdUE
-----END PGP SIGNATURE-----
--YiEDa0DAkWCtVeE4--
