Re: IPSec Problem over Router

• Previous message: Travis D.Ronat: "re[2]: book recommendations"
• In reply to: Rodney Green: "Re: IPSec Problem over Router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 25 Sep 2003 23:43:56 -0700
To: Rodney Green <rgreen@cinchhost.com>

Rodney Green wrote:

> red temptation wrote:
>
>> hi,
>>
>> we have a Problem concerning IPSec. We want to create
>> a tunnel from a WinXP Laptop (located on the Internet
>> with an official IP), to a private Network (using
>> NAT). For authentication purpose we use certificates.
>>
>> It's no problem to open Port 500 on our current
>> Network-Router, but Protocol 50 and 51 are not
>> supported while using NAT. That's why we are not able
>> to establish an IPSec tunnel with that router.
>>
>> Can anyone suggest a low cost Router with the ability
>> to store certificates and enable us to establish the
>> tunnel. It should have an included firewall.
>>
>>
>
> What router do you have? IP 50 should work with NAT because the IP
> header is not included in the authenticated data so it's passed through
> NAT without problems.
>

The problem with NAT and ip protocols 50 and 51 is twofold. They don't
have any concept of 'ports' as in udp or tcp that NAT uses to fuction.
These protocols also don't have any 'state' per se, so firewalls get
crabby with them too. The way to get around it is through NAT-T, or nat
transversal, which basically encapsulates these protocols inside of udp
(or in some implementations, tcp) so that they can be natted without
issue. This function basically is something that needs to be supported
between the vpn client and server.

MS has recently published a free enhancement, the Advanced Network Pack
that may help you, as it adds NAT transversal capability. I haven't
played with it yet, but you can't argue with the price ;) It may be what
you're looking for.

http://www.microsoft.com/downloads/details.aspx?FamilyID=e88cc382-8ce6-4739-97c0-1a52a6f005e4&DisplayLang=en

Good luck :)

You could also possibly build a router-to-router tunnel and just define
the two hosts in question as the boundaries of the encryption domain.
The Cisco 1700 series can do that, and it supports certificates. How
rigid is the certificates issue? If you wanted to use pre-shared keys,
it would open up your options a bit as well.

-- 
Peter Wohlers
---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Travis D.Ronat: "re[2]: book recommendations"
• In reply to: Rodney Green: "Re: IPSec Problem over Router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Complete VPN Fundamentals and VPN Router RV042 ... one) that provides a PPTP-based VPN server integrated into it... ... >machine to use an IPSEC VPN through a NAT device to a host. ... >for the router, as well. ... >> tunnels in the IPsec policy is the same as Tunnel Mode ... (microsoft.public.windowsxp.work_remotely) Re: Sonicwall - simple setup for Global VPN? ... >> linksys router with NAT, but not DHCP, using a broadband connection. ... Can't put it behind nat. ... home LAN which I connect back to the TZ 170 creating an IPSEC tunnel. ... It will take some client. ... (comp.security.firewalls) Re: Sonicwall - simple setup for Global VPN? ... I can get the Global vpn client ... Can't put it behind nat. ... > home LAN which I connect back to the TZ 170 creating an IPSEC tunnel. ... > the router and on the client. ... (comp.security.firewalls) Re: IPSec Problem over Router ... >a tunnel from a WinXP Laptop (located on the Internet ... >supported while using NAT. ... >to establish an IPSec tunnel with that router. ... (Security-Basics) Re: Static Translations Disappearing ... this router and see if they have the same behavior. ... you are running into a NAT bug. ... It wouldn't hurt to change IOS and ... ....where it just shows all translations being dynamic (0 static, ... (comp.dcom.sys.cisco)