[ednog] IPSec vs SOHO NAT

Frank Sweetser fs at WPI.EDU
Tue Jun 14 11:07:28 EDT 2005


On Tue, Jun 14, 2005 at 10:04:16AM -0500, Julian Y. Koh wrote:
> At 10:58 -0400 06/14/2005, Frank Sweetser wrote:
> >Have you ever run into TCP over TCP issues with this?
> >
> >http://sites.inka.de/sites/bigred/devel/tcp-tcp.html
> 
> Not that I've seen at least, and I'm probably the person at NU that uses
> the Cisco client the most.  80+% of our users opt for PPTP, since those
> clients are built into the OS, and thus that's what our Tech Support arm
> has been pushing as the default.  The problem is that PPTP
> encryption/decryption is not done in hardware on the Cisco 3000, so we've
> run into some CPU starvation issues on the concentrator side.  The solution
> there is to transition the default configuration to use L2TP/IPSec, but
> we're going to have to keep PPTP around for a while to service people who
> refuse to switch as well as Mac OS X users.  The L2TP/IPSec client built
> into OS X 10.3 and higher doesn't work from behind NAT devices.  Apple and
> Cisco are supposedly working on fixing this issue.
> 
> But I've digressed, I see.  :)

Well, we're not exactly a Cisco shop (almost exclusivly Nortel), but it's nice
to see that we're not the only ones having fun with VPN issues =)

-- 
Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution that
WPI Network Engineer          |  is simple, elegant, and wrong. - HL Mencken
    GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/ednog/attachments/20050614/7f95030d/attachment.bin


More information about the ednog mailing list