RE: VPN / IPSEC

From: Kevan Smith (KCSmith@tideworks.com)
Date: 04/10/02

Previous message: Damien Adams: "RE: MBSA and MS's attempts at "security""
Maybe in reply to: Sherif Makram Saad: "VPN / IPSEC"
Next in thread: Jerimiah J. Cox: "RE: VPN / IPSEC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Kevan Smith <KCSmith@tideworks.com>
To: "'Sherif Makram Saad'" <shsaad@misc.com.eg>, focus-ms@securityfocus.com, mcse@list.LearnQuick.Com
Date: Wed, 10 Apr 2002 09:53:43 -0700

As I recall, the limitation is that the NAT functionality modifies the IP
headers, which corrupts IPSec; so
IPSec client -> NAT gateway -> Internet -> NAT gateway -> IPSec
client
wouldn't work.

I do not believe the reverse holds true, so you should be able to have
IP Clients -> NAT gateway -> IPSec gateway -> Internet -> IPSec
gateway -> NAT gateway -> IP Clients

Theoretically, anyway (or perhaps I should say 'My theory' :). I haven't
tested this, and if you are able to get it to work I'd be interested to know
your final configuration and how you overcame any technical hurdles.

Kevan Smith
NT Administrator
Tideworks Technology

-----Original Message-----
From: Sherif Makram Saad [mailto:shsaad@misc.com.eg]
Sent: Wednesday, April 10, 2002 2:47 AM
To: focus-ms@securityfocus.com; mcse@list.LearnQuick.Com
Subject: VPN / IPSEC
Importance: High

I have a case with my client and I need your opinion .

2) The main branch using ADSL to connect to the internet , and other
branches using Leased lines or dial up connection to connect to the
Internet , I want to implement VPN /IPSEC but as I know this type of
connections doesn't work with NAT
any suggestions ?

3) If I'm going to use on the main branch VPN/IPSEC using windows Dot
Net Server or shiva land rover and those connection is connected
directly to the Internet , LAN servers behind NAT ,ICS ...... is it
possible to connect in this case using IPSEC / VPN for remote offices ?
and where to type the shared secret in windows 2000 ADv. server .

Regards

Previous message: Damien Adams: "RE: MBSA and MS's attempts at "security""
Maybe in reply to: Sherif Makram Saad: "VPN / IPSEC"
Next in thread: Jerimiah J. Cox: "RE: VPN / IPSEC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Processs PreciseMail AntiSpam Gateway - any experience so far ?
... Client sending system ... >> ISP using dynamic NAT with port overloading. ... >> 10.11.12.1 is the clients real address and it opens a connection from its port ...
(comp.os.vms)
Re: IPSEC VPN NAT
... There is no problem with only one client behind a NAT-Device, ... There are a number of problems with using IPsec over NAT devices. ... The VPN server must be running Microsoft Windows ServerT 2003. ...
(microsoft.public.isaserver)
Re: NAT and keepaliveopen connection over TCP
... It's also disconnect from the public server!!! ... it's look like that the Nat think that It should disconnect from the server also, and next time it connect - it using new port number... ... sent after 10 minutes of inactivity on the TCP connection. ... The client will realize it after it's ...
(microsoft.public.win32.programmer.networks)
Re: openswan vpn
... Luke Matthews wrote: ... > can use whatever software we want as long as it is IPSec compliant. ... > the connection from company A to company B, but wanted to know for sure ... I think you can not speak about a server or client. ...
(comp.os.linux.networking)
Re: Processs PreciseMail AntiSpam Gateway - any experience so far ?
... >>There is no need to be concerned about NAT. ... > It does matter because your example which uses a client on the 10 address space ... > ISP using dynamic NAT with port overloading. ... > 10.11.12.1 is the clients real address and it opens a connection from its port ...
(comp.os.vms)