[ednog] IPSec vs SOHO NAT

Kevin Miller kcmiller at duke.edu
Tue Jun 14 11:16:46 EDT 2005

Frank Sweetser wrote:

>On Tue, Jun 14, 2005 at 09:45:34AM -0500, Julian Y. Koh wrote:
>>IPSec in general.  However, the cure-all that works in every case we've
>>seen is to use the Cisco IPSec client in NAT mode over TCP as opposed to
>>UDP.  It's probably not an approved standard, but it'll cut through
>>anything we've ever come across, including weird setups like you find in
>>hotels and other public access networks.
>Have you ever run into TCP over TCP issues with this?
I wonder if the issues with SSH (see
http://www.psc.edu/networking/projects/hpn-ssh/) had anything to do with

FWIW, I agree that at face value, the TCP tunnelling appears to work
pretty well. We require everyone use the Cisco VPN client (as we require
Mutual Group Authn) so we don't have the L2TP/PPTP issues to deal with.


Kevin C. Miller
Network Architect
Office of Information Technology
Duke University

More information about the ednog mailing list