VPN where local private address collide

Terje Elde terje at elde.net
Sun Aug 18 12:17:49 UTC 2013

On 18. aug. 2013, at 02.43, Adam Vande More wrote:
> > What about SSL/TLS for example?  How would the router swap the header in an encrypted session?
> Same as it would any sessions since only the payload is encrypted.  What Frank calls basic nat, most people call static nat(at least people who have read enough Cisco docs) and it works just fine. Also you are confusing headers.

The point I was aiming for was that even if you were to swap the IPs in the IP-header on the gateway, some protocols still reference the IPs inside the TCP-payload, and while you can rewrite that on a NAT-box using an application level gateway, you can not do that if the session is using SSL or TLS.

I was referring to headers *inside* the SSL/TLS-layers.  I thought that was obvious, but I see I might not have been clear enough.

Yes, you can often still resolve it on the server, but just how messy does one want to get stacking workaround on top of workaround, just to avoid renumbering the network?


More information about the freebsd-questions mailing list