isakmp/ike nat helper
Michael Richardson
mcr at sandelman.ottawa.on.ca
Fri Jan 14 17:41:47 CET 2005
-----BEGIN PGP SIGNED MESSAGE-----
Please do not any helpers for ISAKMP in your NAT.
You just make it worse, and it breaks more often.
Instead, you should be providing: IPv6 support (via 6to4 to get
address space if you do not have v6 on the outside)
Your customers should use NAT traversal for IPsec. This is widely available.
The NAT-T permits packets to originate from different UDP ports.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/ www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQef2SoqHRg3pndX9AQGQ3wP9GQTovd0K9CVNilQPACkv2kzcN6LTyXuH
r8Wm1ElBaCuZmob5Gco1pMnoYHMRRsEH6suEUhdD36AodOgaCs3mwGjIGMqC56BO
Pel+8d8Kd+iDXjsaKESno2DypoM2Ap3IPc8TCZoSO6mYw6MY+YdoIzVjmmcjZ4Oq
PuP70ah/C5g=
=InH5
-----END PGP SIGNATURE-----
More information about the netfilter-devel
mailing list