Contivity VPN woes
Paul Moore
pcmoore at engin.umich.edu
Sun Nov 17 22:57:05 EST 2002
> -----Original Message-----
> From: gnhlug-discuss-admin at mail.gnhlug.org
> To: Greater NH Linux User Group
> Subject: Re: Contivity VPN woes
>
> On Sat, 16 Nov 2002, at 11:15am, mod+gnhlug at std.com wrote:
> >> Please inform your husband that his firewall
> >> needs to allow outbound UDP port 50 and IP
> >> protocol 500.
>
> {snip}
>
> You also need to allow ESP (Encapsulated Security Payload), which is IP
> protocol 51. ESP encapsulates an IP datagram in another datagram, adding
> authentication and encryption. The authentication is only done on the
> encapsulated datagram, so you can rewrite the outer datagram's header
> without fear of it being rejected.
>
> IP protocol 50 is AH (Authentication Header), which is not compatible with
> NAT. AH adds authentication information to an IP datagram without
> encapsulating it; it provides only authentication, not encryption. Because
> NAT modifies the headers of IP datagrams, it is not compatible with AH.
> Fortunately for you, however, AH is (currently) rarely used.
>
just a point of clarification for when you are setting up your firewall rules,
esp is ip protocol 50 (see rfc 2406) and ah is ip protocol 51 (see rfc 2402).
.... pcmoore at engin.umich.edu .... www.alumni.engin.umich.edu/~pcmoore ....
More information about the gnhlug-discuss
mailing list