From mboxrd@z Thu Jan  1 00:00:00 1970
From: Arthur van Leeuwen arthurvl@sci.kun.nl
Date: Sat, 27 Jan 2001 11:15:55 +0000
Subject: [LARTC] I need some advice.
Message-Id: <marc-lartc-98373940416919@msgid-missing>
List-Id: <lartc.vger.kernel.org>
References: <marc-lartc-98373940416914@msgid-missing>
In-Reply-To: <marc-lartc-98373940416914@msgid-missing>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: lartc@vger.kernel.org

<PRE>On Fri, 26 Jan 2001, billy wrote:

&gt;<i> Thanks fore your answer
</I>
My pleasure.

[snip]

&gt;<i> &gt; &gt; if there are some problems or recomandations I must have to take.
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; NAT has a bit of a problem with certain protocols such as FTP. These are
</I>&gt;<i> &gt; mostly handled by the kernel, but there may be cases with new or custom
</I>&gt;<i> &gt; protocols that are not handled yet. You ought to be aware of that.
</I>&gt;<i> &gt; Furthermore, IPsec AH-mode does not work with NAT. IPsec ESP-mode does,
</I>&gt;<i> &gt; fortunately.
</I>
&gt;<i> Yes I new about the NAT problem, now what about masquerading?
</I>
Masquerading is NAT with port-translation thrown in. This enables multiple
IP addresses to be mapped to a single IP address. In 2.4 and the netfilter
and iptables documentation (at <A HREF="http://netfilter.kernelnotes.org/">http://netfilter.kernelnotes.org/</A>)
masquerading is also called NAPT, Network Address and Port Translation.

&gt;<i> I can't find any diference, but there must be, or there the same thing?
</I>&gt;<i> does masquerading have the same problem? I think so.
</I>
Yes, masquerading has the same problems.

&gt;<i> know what do you refer or meen with IPsec AH-mode and IPsec ESP-mode?
</I>
Look at the documentation for FreeS/WAN at <A HREF="http://www.freeswan.org/">http://www.freeswan.org/</A>

IPsec is a protocol to do encryption and authentication of packets at the
IP-level. IPsec AH-mode provides only authentication, but authenticates
packet headers as well as their payload. This directly conflicts with NAT,
as NAT changes the packet headers. IPsec ESP-mode provides authentication as
well as encryption, but does not authenticate the outer packet's headers,
and therefore can be used over NAT-ed conections.

Doei, Arthur.

-- 
  /\    / |      <A HREF="mailto:arthurvl@sci.kun.nl">arthurvl@sci.kun.nl</A>      | Work like you don't need the money
 /__\  /  | A friend is someone with whom | Love like you have never been hurt
/    \/__ | you can dare to be yourself   | Dance like there's nobody watching



</PRE>