Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Reckhard, Tobias (tobias.reckhard_at_secunet.com)
Date: Mon Aug 12 2002 - 04:19:58 CDT
> >You may be able to get manually keyed ESP in tunnel mode to work, but
> >suboptimal from a management and security perspective.
> Saw websites that recommend this configuration, but it wont
> work for me as
If it's worked for someone else, you may want to dig into it.
> Yep, this could be the solution. Already found this NAT-T patch. Any
> experiences ???
Sorry, no. There's an article at SANS about NAT-T, a Google search for 'nat
traversal ipsec peace agreement' should make it top of the list. It's got a
couple of obvious errors (that any QA would have found), but it gets the
message across. Oh, you need to register to be allowed access to their
Bottom line is that NAT-T works for outbound connections and protocols that
don't need any special treatment, such as FTP, RPC, etc.. It seems to me
that you can't place NAT-T devices in a head-to-head configuration, but I
may be wrong here.
> >Are you forced to have NAT take place on that outer router?
> ??? Its not my router and they had enabled NTA as a kind of
> "security" :O)
NAT isn't a security feature, IMnsHO.
> PS: I read something about your secunet on tickers. freeS/wan
> ipsec for the
> certified by RegTP boxes ?
> Nice !
Disclaimer: I work for secunet. None of what I say necessarily reflect my
employer's opinions, policy, whatever. I do not mean to abuse this list for
Yeah, that'd be our SINA box. It is pretty good security-wise, if I say so
myself (see disclaimer).
-- To unsubscribe, e-mail: suse-security-unsubscribesuse.com For additional commands, e-mail: suse-security-helpsuse.com Security-related bug reports go to securitysuse.de, not here