[fw-wiz] ipsec nat traversal-conclude

From: Fredrik Lindström (fredrik@dunenets.net)
Date: 03/04/03

  • Next message: Paul Stewart: "[fw-wiz] PIX Logging Analysis"
    From: "Fredrik Lindström" <fredrik@dunenets.net>
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Tue, 4 Mar 2003 17:20:49 +0100 (CET)
    

    Hi Simon,

    The first scenario assumes that you have public IP adressen and don't NAT
    in the first firewall, and it will work in that case.

    The second is a way around it, Check Point, and others, have support for
    tunneling over UDP. In Check Points case it's UDP 2746 default. You still
    need to allow IKE and FW1_topo though.

    With FireWall-1 NG FP4, Check Point will also have support for tunneling
    over TCP, default port 443 (HTTPS).

    Regards

    Fredrik

    > Message: 1
    > To: firewall-wizards@honor.icsalabs.com
    > From: SimonChan@lifeisgreat.com.sg
    > Date: Mon, 3 Mar 2003 21:23:57 +0800
    > Subject: [fw-wiz] ipsec nat traversal-conclude
    >
    > Hi all,
    >
    > having gone over various source. I've come to this conclusion for the
    > following scenario :
    >
    > IPsec Client------ FW Nat (nat) ---- FW/VPN Nat(nat)
    > ------Lan
    >
    > (the 2nd Fw/VPN has a public Ip which is static natted by the 1st FW)
    >
    > The IPSec Client can only connect to the terminating VPN gateway
    > behind the 1st FW
    > on the following conditions
    >
    >
    > * the IPsec is using ESP transport (does not encrypt the IP header,
    > only the payload)
    > (ESP tunnel will encrypt the IP header, AH will perform Hash on
    > the
    > IP
    > header causing NAT to fail)
    >
    >
    > Some queries still bugging me.
    >
    > * I have suggestion to open IP protocol 50-ESP and 51-AH and UDP
    > 500-Ike Is this sufficient ??
    >
    > *Some VPN client e.g. secuRemote can encapsulate
    > IPSec packets in another layer of UDP so any NAT along the path
    > doesn't try to alter the IP header.
    >
    > Is the above 2 methods an alternative to IPSec Nat transversal ?
    >
    >
    >
    > tks.
    >
    > Rgds,
    >
    > Simon
    >
    >
    >
    >
    > ---------------------------------------------------------------------------------
    >
    > CONFIDENTIALITY CAUTION :
    > The email is only for the use of the person or entity to whom it is
    > addressed and contains information that is privileged and
    > confidential. If you, the reader of this email are not the intended
    > recipient, any distribution, copying or dissemination of this email is
    > strictly prohibited. If you have received this email in error, please
    > contact the sender immediately by return email and delete this email.
    > Thank you. Please visit our website at http://www.lifeisgreat.com.sg.
    >
    > ---------------------------------------------------------------------------------
    >
    >
    >
    >
    > --__--__--
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >
    > End of firewall-wizards Digest

    __________________
    Fredrik Lindström
    www.dunenets.net
    (Live a long life)

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul Stewart: "[fw-wiz] PIX Logging Analysis"