Who can encrypt payload only and also encapsulate?

Joseph S D Yao jsdy at COSPO.OSIS.GOV
Fri Apr 21 21:26:05 EDT 2000


We've been running a sort of conglomerated set of VPNs that meet at a
common hub, to share information.  The VPN contains both public and
private Internet addresses, which is OK, because there is no IP shared
with the Internet.  All Internet access is out through a proxied
firewall.

We just ran into an interesting problem.

At one location, which happens to be a tenant on a military base, the
base commander wanted to check all IP going in and out of his base, to
verify that there were no back doors.  Obviously, a dedicated line for
our VPN was a back door; so that got cut, and we started routing our
VPN over the base network.  That was no good either.  It seems that our
encrypted and encapsulated packets did not have their headers in the
clear, for him to inspect and make sure that our friends didn't have a
clandestine back door in there.

(*sigh*)

Maybe he doesn't like his tenants, and maybe he is just being rough on
them, but he is the base commander, and what he wants, goes.

Only I can't figure out how to do it right.

The encrypting router does not have the ability to only encrypt the
payload.  And boxes that we have looked at that do encrypt the payload
won't encapsulate the packet - meaning our private internet addresses
all over his nice public Interneted network.  Erk.

I don't want to make this a two-step process, but will if we have to,
to get an encapsulated packet with only the payload encrypted.  BUT,
does anybody know of any reasonable devices that will do this all in
one box?  Preferably, ones that can be remotely managed.

Thanks!

--
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list