tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: racoon, IKEv1 and multiple ipsec clients behind NAT



> In the end I went with l2tp(4) over OpenVPN over tor.
> [passes multicast but not other broadcast]

> Any thoughts / ideas on this would help.

I don't know l2tp.  But I do know that I routinely use something I
built that is essentially Ethernet-over-TCP: on each end, there is a
machine with a bridge(4) between the real Ethernet and a tap(4)
instance, and there's a program on each end that takes packets from
tap, encrypts them, and pushes them over a TCP connection.  The other
end then decrypts and writes them to its tap instance.

This works well enough for my use case, and in my experience passes
broadcasts (for example, ARP works fine over it).  The crypto is
probably mediocre at best[%], but it is good enough for my use cases.

So, it certainly _can_ work.

[%] As a cryptographer I'm strictly a dilettante - I use solid
algorithms, such as Rijndael, but I may be using them incorrectly
and/or my implementations may have sidechannel flaws.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


Home | Main Index | Thread Index | Old Index