On Tue, 2003-10-14 at 21:12, Fred Heutte wrote:
IPSec prevents packet modification to thwart man-in-the-middle attacks. However, this strong security feature also generates operational problems. NAT frequently breaks IPSec because it modifies packets by substituting public IP addresses for private ones. Many IPSec products implement NAT traversal extensions, but support for this feature isn't universal, and interoperability is still an issue.
IMHO this is a bit misleading as it implies you need some kind of special gateway with "NAT traversal extensions" to get IPSec to work. This is not exactly true as only AH checks the IP header. If you stick with just ESP you can re-write IPs without failing authentication. True this only works for one to one NAT. Many to one NAT will still break IPSec, even if ESP is used alone. This is a functionality issue however (IPSec using a fixed source port of 500), rather than a "preventing packet modification to thwart man-in-the-middle attacks" thing.
And Phifer notes later that one of the critical issues with SSL VPNs is whether you want to "Webify" everything. For all of us (I hope), the net is much more than just port 80.
Not so sure you really have to. This is true if you are running things like pop3s, imaps, etc. but you can also go with something like stunnel which is pretty close to IPSec. The biggest drawback is no native support for UDP which makes using internal DNS a bit of a bear. Cheers, C