Re: Linux v Dedicated NAT routers - secure remote differences

• Next message: vibes: "Re: Spam - What is a simple way to 'hide' email address?"
• Previous message: Paul Hutchings: "Re: Spam - What is a simple way to 'hide' email address?"
• In reply to: : "Re: Linux v Dedicated NAT routers - secure remote differences"
• Next in thread: : "Re: Linux v Dedicated NAT routers - secure remote differences"
• Reply: : "Re: Linux v Dedicated NAT routers - secure remote differences"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Leonid Rosenboim" <MY_FIRST_NAME@CONSULTANT.COM>
Date: Sun, 29 Sep 2002 18:46:18 +0200

Alan,

I think I have got the core of the issue, I assume you are using an IPsec
VPN, so here is a quote form a Cisco paper on VPNs:

NAT After IPSec
...
When IPSec uses Authentication-Header (AH) mode for packet integrity, if
one-to-one address translation occurs it will
invalidate the signature checksum. Because the signature checksum is
partially derived based on the AH packet's IP header
contents, when the IP header changes, the signature checksum is invalidated.
In this case, the packet will appear to have been
modified in transit and will promptly be discarded when received by the
remote peer. However, when IPSec uses ESP, the
devices will be able to successfully send packets over the VPN, even when
one-to-one address translation occurs after
encapsulation. This scenario is possible because ESP does not use the IP
header contents to validate the integrity of the
packets. In cases where many-to-one address translation occurs (aka port
address translation), the IP address and source IKE
port, normally User Datagram Protocol (UDP) port 500, will change. Some VPN
devices do not support IKE requests sourced
on ports other than UDP 500, and some devices performing many-to-one NAT do
not handle ESP or AH correctly. Remember
that ESP and AH are higher-layer protocols on top of IP that do not use
ports.
Because many-to-one address translation is commonplace in many environments
where remote-access clients are deployed, a
special mechanism called NAT transparency exists to overcome these NAT
issues. NAT transparency reencapsulates the IKE
and ESP packets into another transport layer protocol, such as UDP or TCP,
which address-translating devices know how to
translate correctly. This mechanism also allows the client to bypass access
control in the network that allows TCP or UDP but
blocks encrypted traffic. Note that this feature does not affect the
security of the transport in any way. NAT transparency takes
packets already secured by IPSec and then encapsulates them again in TCP or
UDP.

Full text: http://www.mnemonic.no/linker/pdf/IPSec_VPN_in_Depth.pdf

"Leonid Rosenboim" <MY_FIRST_NAME@CONSULTANT.COM> wrote in message
news:newscache$0bz63h$hui$1@lnews.actcom.co.il...
> Alan,
>
> most cheap routers dont run Linux due to memory requirements.
>
> You can get the router, and if you figure it out you can return it to the
> store, so it may endup costing you only the time to the store and back.
>
> You need to understand what type of VPN is it (identify client product and
> version) and then maybe some folks who use that stuff can help.
>
> I cna offer two guesses:
>
> If it uses PPTP, then your Linux may not forward GRE for some reason.
>
> If it uses IPsec, I beleive there are IPsec variants that need special
> handling to work through NAT.
>
> The commercial NAT routers have special code to support VPNs, while your
> Linux may have not.
>
> hth.
>
> "Alan Chandler" <alan@chandlerfamily.org.uk> wrote in message
> news:qdyl9.1175$M14.14814355@news-text.cableinet.net...
> > Leonid Rosenboim wrote:
> >
> > >
> > > Sorry I pissed you off, that wasn't really my intention.
> > >
> >
> > Sorry from me too - I rather jumped back at you.
> >
> > My main concern is to get my problem solved. And being a cheapskate
sort
> of
> > guy, don't want to spend money on something without knowing that it will
> > work. I've been too long in the computer business (I started about 35
> > years ago) to realise that the problem that you originally thought it
was
> > is normally not the actual problem. My approach to this is to
understand
> > in detail how something might be working and why before investing too
much
> > in a solution.
> >
> > The problem I am faced with here is intriguing because
> >
> > a) It works for my collegues and not for me, and
> > b) I believe that most of these router type devices have linux inside
> anyway
> > c) Therefore the probablity is that my linux server should work as well
if
> I
> > configure it correctly
> > d) Therefore it could be either a problem with my linux configuration or
a
> > problem with my windows configuation, and therefore
> > e) At the moment I am asking for information - which so far nobody,
after
> > asking in a number of forums, has been able to give me.
> >
> > So I may well follow your suggestion - but I want to get more into the
> > theorising of what could be the issues first.
> > --
> > Alan Chandler
>
>

• Next message: vibes: "Re: Spam - What is a simple way to 'hide' email address?"
• Previous message: Paul Hutchings: "Re: Spam - What is a simple way to 'hide' email address?"
• In reply to: : "Re: Linux v Dedicated NAT routers - secure remote differences"
• Next in thread: : "Re: Linux v Dedicated NAT routers - secure remote differences"
• Reply: : "Re: Linux v Dedicated NAT routers - secure remote differences"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint