-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lito Kusnadi wrote:
| Dear shorewall users:
| I am going to implement VPN IPSEC pass through. Got shorewall as the
| main firewall interfacing the internet. I found Tom''s documentation
on
| how to do it. The question is: there''s an argument that VPN pass
through
| (pass through NAT) will undermine the importance of AH (source: freeswan
| site). Is it true?
|
If you are using NAT without encapsulating in UDP (nat traversal) then
you can''t use AH. An AH header includes a cryptographic checksum and
among the data used to calculate the checksum are the immutable parts of
the IP header (including source and destination address). Given that NAT
has to rewrite those addresses, AH and NAT are mutually exclusive.
- -Tom
- --
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBK0hlO/MAbZfjDLIRAqrRAJ9pj8QD0x9K/IA4GAKzyebDnRXnyACgsvcm
+vOtqQg7fhmM4YfK/acUg5c=ezJM
-----END PGP SIGNATURE-----