Re: Netscreen Remote, NAT and Windows 2000

From: Greg Oberfield (greg@nospam.gregsdomain.com)
Date: 01/04/02 

From: Greg Oberfield <greg@nospam.gregsdomain.com>
Date: Fri, 04 Jan 2002 22:34:56 GMT

Also - check what version of ScreenOS your office Netscreen is. Version
3.0 (just released last month) supports NAT traversal which is a
neato-keen feature (Basically encapsulating the IPSec traffic).

In your case this won't help since the problem you're experiencing is
related to the fact that your PC has a specific IP address (say
192.168.0.2 for the sake of argument) which is what is put into the DEST
header of your IP packet. Since IPSEC then ALSO authenticates that
header when your router changes the DEST address to the "public" IP
address (the one assigned to you via DHCP) when it gets to the foreign
VPN box the hash doesn't match since the has included in what you sent
is based off 192.168.0.2 and the hash that the foreign VPN box generates
is based off the DEST header which is now your DHCP address. So like
any good VPN box it discards the packets since it can't authenticate.

Now I don't know about the Linksys or SMC routers mentioned elsewhere
although looking at the Linksys site they do supoprt IPSec pass through.
  Personally, I'm a little fuzzy on how IPSec passthrough works with a
non-routable IP address NAT but that's just me. :)

Jeff Oberlander wrote:

> The VPN software for my company is Netscreen Remote. I have a cable
> modem at home (attbi.com) that is attached to a windows 2000 server
> which uses NAT to do IP sharing with other computers on my home
> network through a hub. The NAT config dynamically allocates IP
> addresses to my home network. If I plug my work machine directly off
> of the cable modem, the VPN works great. However, if I plug it into
> the hub (using the NAT), I do not get connectivity to the VPN. I am
> guessing there is some sort of configuration of NAT that I need to do
> to enable Netscreen remote. Does anyone know what I need to do?
> Thanks much.
> Jeff
>

Relevant Pages

  • Re: IPsec + NAT + mehrere Tunnelendpunkte
    ... >> Verbindung zu ihrem Firmennetz per VPN aufbauen können. ... Cisco verwendet zum Bleistift Port 2000 dafuer. ... >> weiteren IPsec Tunnel zu einem anderen Endpunkt aufbauen möchte. ... > Dieser USR^W3Com NAT-Router bei ihm, ...
    (de.comp.security.firewall)
  • Re: Linux v Dedicated NAT routers - secure remote differences
    ... I think I have got the core of the issue, I assume you are using an IPsec ... VPN, so here is a quote form a Cisco paper on VPNs: ... NAT After IPSec ... then your Linux may not forward GRE for some reason. ...
    (comp.security.firewalls)
  • [fw-wiz] ipsec nat traversal-conclude
    ... The IPSec Client can only connect to the terminating VPN gateway behind ... (ESP tunnel will encrypt the IP header, AH will perform Hash on the IP ... IPSec packets in another layer of UDP so any NAT along the path ... CONFIDENTIALITY CAUTION: ...
    (Firewall-Wizards)
  • Re: NATting both ways
    ... on my "VPN" network off a PIX 525. ... We are using ip nat inside and ip nat outside on our inside and ... creates a VPN to another router on a remote network. ... crypto map CLIENTMAP client authentication list default ...
    (comp.dcom.sys.cisco)
  • Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall
    ... My belief is that your NAT ... My understanding is that IPSec AH protocol does not work with NAT devices ... IPSec operates in either one of two modes - transport mode or tunnel mode. ... provide a VPN remote access solution. ...
    (microsoft.public.win2000.security)