[fw-wiz] ipsec nat traversal-conclude

From: SimonChan@lifeisgreat.com.sg
Date: 03/03/03

  • Next message: Dave Rinker: "Re: [fw-wiz] ipsec nat traversal-conclude"
    To: firewall-wizards@honor.icsalabs.com
    From: SimonChan@lifeisgreat.com.sg
    Date: Mon, 3 Mar 2003 21:23:57 +0800

    Hi all,

    having gone over various source. I've come to this conclusion for the
    following scenario :

              IPsec Client------ FW Nat (nat) ---- FW/VPN Nat(nat) ------Lan

    (the 2nd Fw/VPN has a public Ip which is static natted by the 1st FW)

    The IPSec Client can only connect to the terminating VPN gateway behind
    the 1st FW
    on the following conditions

    * the IPsec is using ESP transport (does not encrypt the IP header, only
    the payload)
         (ESP tunnel will encrypt the IP header, AH will perform Hash on the IP
    header causing NAT to fail)

    Some queries still bugging me.

    * I have suggestion to open IP protocol 50-ESP and 51-AH and UDP 500-Ike
    Is this sufficient ??

    *Some VPN client e.g. secuRemote can encapsulate
    IPSec packets in another layer of UDP so any NAT along the path
    doesn't try to alter the IP header.

    Is the above 2 methods an alternative to IPSec Nat transversal ?





    The email is only for the use of the person or entity to whom it is
    addressed and contains information that is privileged and confidential. If
    you, the reader of this email are not the intended recipient, any
    distribution, copying or dissemination of this email is strictly
    prohibited. If you have received this email in error, please contact the
    sender immediately by return email and delete this email. Thank you. Please
    visit our website at http://www.lifeisgreat.com.sg.


    firewall-wizards mailing list

  • Next message: Dave Rinker: "Re: [fw-wiz] ipsec nat traversal-conclude"

    Relevant Pages

    • Re: Netscreen Remote, NAT and Windows 2000
      ... neato-keen feature (Basically encapsulating the IPSec traffic). ... header when your router changes the DEST address to the "public" IP ... VPN box the hash doesn't match since the has included in what you sent ... non-routable IP address NAT but that's just me. ...
    • Re: L2TP/IPSec Verbindung läuft mit XP SP2 nicht mehr
      ... In XPSP2 the IPsec driver needs a registry setting when either the ... server or workstation are behind a NAT gateway. ... 1- Client initiates to a server that is behind the NAT ... > Peer Private Addr ...
    • Re: IPsec + NAT + mehrere Tunnelendpunkte
      ... Ist der VPN-Endpunkt ein Cisco Concentrator oder eine PIX? ... Und warum macht er dort ueberhaupt doppelt NAT? ... Session-Keys des IPSEC Tunnels verwendet. ...
    • Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall
      ... My belief is that your NAT ... My understanding is that IPSec AH protocol does not work with NAT devices ... IPSec operates in either one of two modes - transport mode or tunnel mode. ... provide a VPN remote access solution. ...
      ... There are a number of problems with using IPsec over NAT devices. ... All VPN clients must be using the IPsec NAT-T VPN client. ...