[Openswan Users] ipsec over tcp?
Paul Wouters
paul at xelerance.com
Fri Jan 7 18:57:36 CET 2005
On Fri, 7 Jan 2005 tgrzelak at wktpolska.com.pl wrote:
>> you can't built a tcp state on top of ipsec. the ipsec protocol has no
>> three way handshake or acks. Apart from tcp being trivial to kill with an
>> RST packet.
>
> I meant something like NAT-T, but over TCP not UDP. I don't know if such a
> thing exists at all...
You can't really. Within your ipsec tunnel say you have a tcp/ip connection
with its reliability layer. now tunneling in ESP and then wrapping that
within another tcp/ip reliability layer wil just cause the multiple tcp/ip
protocols to race for resending packets.
This is the same reason why ppp over ssh is such a completely horrible
and unworkable solution as soon as you see any packet loss.
> Unfortunatelly that's not my network. It's ISP's GPRS network, and I can do
> nothing about it.
Inform them, and switch ISP if it's that bad.
> I must say, that my vpn works fine even on a dialup network with an analog
> modem (no teardowns), but on a GPRS network it is pathetic :(
Try reducing the mtu on both ends. GPRS networks consist of many layers
of tunneling to begin with.
Paul
--
"At best it is a theory, at worst a fantasy" -- Michael Crichton
More information about the Users
mailing list