* René Matthäi wrote on Tue, Aug 12, 2003 at 11:06 +0200:

if my VPN GW is behind the firewall, why is it - generally, in theory - neccessary to have the firewall open IP 50, 51 and UDP 500 (ISAKMP).

I think, you need UDP Port 500 and IP protocol 50 *or* UDP Port 500 and IP protocol 51, depending if you use ESP or AH.

Why - in theory - is hasn't everything been designed to use ONE single connection through one port and protocol?

To keep it more simple, I guess.

Why not e. g. use SSL/TLS with PKI and that's it?

SSL/TLS would be to much overhead and inefficient when having UDP packets (usually, it isn't best thing to encapsulte non-reliable datagrams into a reliable datastream, because if the application needs reliable datastreams, it opens a TCP connection instead ;)).

Higher and lower level traffic can be packed and tunneled through even a higher network layer, can't it?

from theory, it can be done of course, but I guess the packet overhead would be somewhat twice as much! Imagine AH: you have to have the complete packet header information twice (once in the "inner" and once in the "outer" packet, means the encapsulating packet). Because an ESP packet has nothing like a port, it is not needed to transfer a port value or other TCP fields (as you would need to do when using TLS). IPSec is someone a layer below TLS (network layer security maybe :)). With TLS, you authenticate application level peers (e.g. Web browser and Web server), with IPSec you authenticate network peers (e.g. Workstation and Server addresses). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.