Block all servers?

• Previous message (by thread): Block all servers?
• Next message (by thread): Block all servers?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Kee Hinckley wrote:
> 
> At 6:30 PM +0200 10/14/03, Stefan Mink wrote:
> >On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote:
> >>  > I use IPSEC and it works fine behind NAT.
> >>
> >>  Yes, it does work, on a small scale.  However what if your neighbor
> >>  wants to IPSEC to the same place (say you work at the same place).
> >>  If both of you are NAT'd from the same IP address trying to IPSEC
> >>  to the same IP address?  I don't believe things will work in this
> >>  instance.
> >
> >why not? We use it here, works fine (with certificates for auth).
> 
>  From what I've seen it depends on whether the NAT has specific
> support for IPSEC, and if that support includes support for multiple
> clients.  The NAT box has to keep track of the mapping.  I've seen
> NATs priced based on how many VPN clients they support at a time.
> 
> See http://www.dslreports.com/faq/4638

Quoting from that,

  Some routers permit multiple IPSec connections through NAT by uniquely
  identifying tunnels via the pair of SPI numbers snagged from an IKE
  exchange. These identifying numbers are stored in IPSec NAT table entries
  to allow correct routing of inbound ESP traffic.

Last time I looked, the SPIs are exchanged in an encrypted payload in
IKE. Am I mistaken? The router would have to mount a successful MIM 
attack to do this.
-- 
Crist J. Clark                               crist.clark at globalstar.com
Globalstar Communications                                (408) 933-4387

• Previous message (by thread): Block all servers?
• Next message (by thread): Block all servers?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]