IPSec over TCP

Ansar Mohammed ansarm-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Thu Dec 1 20:21:54 UTC 2005


Hey Eric, has Checkpoint ported FW-1 to FreeBSD yet or are they still
limiting you to IPSO?


> -----Original Message-----
> From: owner-tlug-lxSQFCZeNF4 at public.gmane.org [mailto:owner-tlug-lxSQFCZeNF4 at public.gmane.org] On Behalf Of
> Eric.Malenfant-xNZwKgViW5gAvxtiuMwx3w at public.gmane.org
> Sent: December 1, 2005 1:26 PM
> To: tlug-lxSQFCZeNF4 at public.gmane.org
> Subject: RE: [TLUG]: IPSec over TCP
> 
> Cisco and Check Point are the only 2 I know of as well (I am a CCSE+)
> 
> tcp/500 was only created so their respective clients could communicate
> from behind nat
> devices without using UDP encapsulation.
> 
> Under Linux, the KAME ipsec-tools work fine, but 500/tcp is not
> supported as of
> yet, but NAT-T on port 4500 is, which is the real way to support ike
> over tcp.
> 
> Nat-t on port 4500 is the way to go, as I know Check Point now supports
> it, but
> I am currently not sure about Cisco.
> 
> Eric Malenfant, NSA, CCSE+, RHCE
> 
> 
> 
> 
> 
> -----Original Message-----
> From: owner-tlug-lxSQFCZeNF4 at public.gmane.org [mailto:owner-tlug-lxSQFCZeNF4 at public.gmane.org] On Behalf Of ext
> Ansar Mohammed
> Sent: Thursday, December 01, 2005 2:05 AM
> To: tlug-lxSQFCZeNF4 at public.gmane.org
> Subject: RE: [TLUG]: IPSec over TCP
> 
> IPSec also uses IP Protocol 50 and 51.
> IKE uses udp 500. Some vendors have implemented ike over tcp 500
> (checkpoint and cisco) I don't think ike over tcp is standard.
> 
> 
> > -----Original Message-----
> > From: owner-tlug-lxSQFCZeNF4 at public.gmane.org [mailto:owner-tlug-lxSQFCZeNF4 at public.gmane.org] On Behalf Of Byron
> > Sonne
> > Sent: November 30, 2005 6:24 PM
> > To: tlug-lxSQFCZeNF4 at public.gmane.org
> > Subject: [TLUG]: IPSec over TCP
> >
> > Hey Folks,
> >
> > Seems that 500/UDP is the main focus for IPSec. However, I need to be
> > able to detect IPSec running over TCP, and of all the things I've
> > played around with (gear at work running IPSec, swan, isakmpd, etc.)
> > 500/TCP never seems to be open.
> >
> > I don't need to actually have working communications and info exchange
> 
> > between entities, etc. I'm not interested in creating a viable
> network.
> > What I do want to get is a server setup that listens on 500/TCP for
> > IPSec stuff so I can attempt to tickle responses out of it, and I'm
> > not having any luck.
> >
> > Can anyone give me some pointers? I'd appreciate it! (or a live IP
> > listening on 500/TCP that doesn't mind some heavy probing ;)
> >
> > Regards,
> > Byron
> > --
> > The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
> > TLUG requests: Linux topics, No HTML, wrap text below 80 columns How
> > to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
> 
> --
> The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to
> UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
> --
> The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list