[TriLUG] help! IPsec VPN over SSH?
Ryan Leathers
Ryan.Leathers at globalknowledge.com
Fri Feb 25 11:52:04 EST 2005
Hmmm,
The Cisco client (VPN 3000) allows you to select TCP in order to encapsulate
IKE and ESP. That's a great idea if you are dealing with firewall rules
that don't allow UDP 500 or protocol 50.
The other interesting thing Cisco has done is to encapsulate ESP inside UDP
(port 10000) in order to traverse NAT. (For the Cisco purists, that is PAT,
but as Aaron has rebuffed me lately on this point I will defer to the more
general Linux Geek definition of NAT). This overcomes the problem of NAT
devices failing to handle Protocol 50 (ESP). Similarly, NAT-T uses UDP port
4500 by default, however, this can be done on TCP as well, which might also
be what you were recalling.
All of these options are simple to select on the client and on the
concentrator if you can tear yourself away from a CLI and gaze at a GUI for
a few minutes.
-----Original Message-----
From: John Beimler [mailto:john at radiomind.com]
Sent: Friday, February 25, 2005 11:08 AM
To: Triangle Linux Users Group discussion list
Subject: Re: [TriLUG] help! IPsec VPN over SSH?
The Cisco VPN client can also be configured to tunnel itself over TCP,
I'm not sure how, but I had to configure it to be able to use our VPN at
a few customer sites last year.
It wasn't difficult, it was a simple config setting, just can't remember
which one.
Peace.
john
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
More information about the TriLUG
mailing list