RE: [PCTECH] Re: Wireless AP with VPN

["Walden H. Leverich" <WaldenL@xxxxxxxxxxxxxxx>]

>NAT & IPSEC can get along just fine.

Really? I'm no expert, but can you explain how? 

As I understand it an IPSEC packet it encrypted at the client (my PC)
and sent to the server. Now, when it's encrypted at the client I have an
internal IP address (in my case 10.100.10.35 for example) and that IP
address, in some cases, is embedded in the packet that gets encrypted
(FTP being a prime example). Now, since the NAT proxy can't see inside
the encrypted packet it has no way of changing that address from the
internal one to the external one. I guess for some protocols this
wouldn't cause a problem, but for others it will. Even Cisco's write-up
on NAT-T says it doesn't solve the embedded ip problem. 

-Walden

------------
Walden H Leverich III
President & CEO
Tech Software
(516) 627-3800 x11
WaldenL@xxxxxxxxxxxxxxx
http://www.TechSoftInc.com

Quiquid latine dictum sit altum viditur.
(Whatever is said in Latin seems profound.)
  


-----Original Message-----
From: pctech-bounces@xxxxxxxxxxxx [mailto:pctech-bounces@xxxxxxxxxxxx]
On Behalf Of Vernon Hamberg
Sent: Tuesday, 25 January, 2005 08:39
To: PC Technical Discussion for iSeries Users
Subject: Re: [PCTECH] Re: Wireless AP with VPN

NAT & IPSEC can get along just fine. The LinkSys WRV54G can handle up to
50 
tunnels. It is wireless-G, so it's fairly fast. Also is a 4-port full 
duplex 1/100 switch. At my previous job we used LinkSys' earlier BEFVP41
- 
up to 70 tunnels. There are also the RV016 and RV082 - 50 tunnels, 16 &
8 
wired ports respectively.

I don't think any of these use digital certificates for client access - 
could be wrong, I did just a brief survey of the user guides. They use 
preshared keys. Maybe this does not matter if going from device to
device.

HTH
Vern

At 12:37 AM 1/25/2005, you wrote:
>On Mon, 24 Jan 2005 15:10:55 -0700, michael@xxxxxxxxxxxxxxxxxx
><michael@xxxxxxxxxxxxxxxxxx> wrote:
> > IPSec...yeah...that's my problem. I was looking at the Linksys
BEFSX41
> > router, and thinking of connecting that to my current wireless AP,
but
> > I don't know if that would buy me anything. I guess I could go
> > wired...my house has the connectivity, just need to hook up the
patch
> > panel, but I'd really like to stay wireless if I could.
>
>Are there wired Cable/DSL routers that support multiple IPSec
>conversations at the same time.  I gathered from Walden's comment that
>NAT and IPSec don't get along well.
>
>--
>Tom Jedrzejewicz
>tomjedrz@xxxxxxxxx
>--
>This is the PC Technical Discussion for iSeries Users (PcTech) mailing
list
>To post a message email: PcTech@xxxxxxxxxxxx
>To subscribe, unsubscribe, or change list options,
>visit: http://lists.midrange.com/mailman/listinfo/pctech
>or email: PcTech-request@xxxxxxxxxxxx
>Before posting, please take a moment to review the archives
>at http://archive.midrange.com/pctech.

-- 
This is the PC Technical Discussion for iSeries Users (PcTech) mailing
list
To post a message email: PcTech@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/pctech.