VPN client interoperability
Martin Machacek
mm at I.CZ
Tue May 16 05:20:31 EDT 2000
On 15-May-00 Michael Louie wrote:
> Stupid question fellas.......but it shouldn't matter if I use X brand VPN
> client and Y brand VPN server right? --I intend on using ISAKMP w/ NAT
Unfortunately it does matter! I assume than with VPN you mean IPsec based one.
IPsec is quite complicated standard (or better to say set of standards) and
as a result of that there are incompatibilites between different
implementations. Most frequently they are in key exchange, i.e. ISAKMP (or
how it is called now IKE). One more warning - it is quite complicated to run
IPsec based VPN over (any kind of) address translation. First of all you must
not use the AH (authenticating header) part of IPsec and you must use static NAT
(1-to-1 mapping). Even with that whether your setup will work depends on the
IPsec implementation. In most cases it is better to have the VPN server in
parallel to the NAT device or on the same machine.
Martin
---
[PGP KeyID F3F409C4]
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list