On Mon, 2011-11-14 at 21:08 +0400, Lucas wrote: > > I am talking about ipsec over TCP. > > Everything can do ipsec over UDP, but none over TCP. But on my job for > the security reason UDP is blocked, cisco vpn can do ipsec over tcp.
That's entirely stupid. The Cisco "IPsec over TCP" is basically the *same* as UDP, except it fakes a TCP header on each packet in order to make it pass through crappy firewalls and NAT which only supports TCP. If your IT department think that UDP needs to be blocked "for the security reason", then it sounds like they are incompetent and should be fired. Or just taken out back and shot. We *have* had Cisco's IPSec over TCP working; it's not particularly difficult. However, we never really worked out how to make it work nicely on Linux; the kernel really *really* wants to eat all TCP packets and will give a TCP RST to any connection it doesn't think is open. Any mechanism to effectively operate TCP in userspace, which is what we need to do, would be very much frowned upon. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
