[Openswan Users] ipsec over tcp?

Paul Wouters paul at xelerance.com
Fri Jan 7 18:57:36 CET 2005

On Fri, 7 Jan 2005 tgrzelak at wktpolska.com.pl wrote:

>> you can't built a tcp state on top of ipsec. the ipsec protocol has no
>> three way handshake or acks. Apart from tcp being trivial to kill with an
>> RST packet.
> I meant something like NAT-T, but over TCP not UDP. I don't know if such a
> thing exists at all...

You can't really. Within your ipsec tunnel say you have a tcp/ip connection
with its reliability layer. now tunneling in ESP and then wrapping that
within another tcp/ip reliability layer wil just cause the multiple tcp/ip
protocols to race for resending packets.
This is the same reason why ppp over ssh is such a completely horrible
and unworkable solution as soon as you see any packet loss.

> Unfortunatelly that's not my network. It's ISP's GPRS network, and I can do
> nothing about it.

Inform them, and switch ISP if it's that bad.

> I must say, that my vpn works fine even on a dialup network with an analog
> modem (no teardowns), but on a GPRS network it is pathetic :(

Try reducing the mtu on both ends. GPRS networks consist of many layers
of tunneling to begin with.


"At best it is a theory, at worst a fantasy" -- Michael Crichton

More information about the Users mailing list