Re: IPSEC from behind dumb NAT. How?

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 10/29/02

• Next message: tech: "Re: Permissions for shared folders"
• Previous message: Wallace, David K.: "Re: Remote Console"
• In reply to: at: "Re: IPSEC from behind dumb NAT. How?"
• Next in thread: Christopher J. Black [MS]: "Re: IPSEC from behind dumb NAT. How?"
• Reply: Christopher J. Black [MS]: "Re: IPSEC from behind dumb NAT. How?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Tue, 29 Oct 2002 14:13:02 -0500

Sorry, I missed the description of your NAT device.

What I meant to say in my post was, I understand that you are using ESP, but
also be sure AH is not also enabled at both endpoints, since this will cause
IPsec VPN to not work if your NAT router does not support IPsec passthrough.

One other thing.. I believe ESP also gives you the option of authenticating
the IP header / source address just like AH does, so you may need to confirm
that both endpoints have this option disabled, if there is a way to disable
it. Again, if you're using the Microsoft client, I would check the URLs in
the post below, unless someone else gives better information.

Another option is to buy a router that supports IPsec passthrough. Some of
them start at $70 US

Here are some other URLs that may give information on configuring the
Microsoft IPsec client:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q252735 - IPsec
tunneling & encryption
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q308208 - Setting up
a VPN server
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q253169 - Traffic
that cannot be secured by IPsec encryption
searching www.microsoft.com/support for "ipsec NAT"

"at" <atarasul@spencerstuart.com> wrote in message
news:uMnjWo3fCHA.2392@tkmsftngp08...
> As I stated I'm using generic SOHO NAT/DHCP hardware router/firewall on
the
> border of source network.
> I'm not expecting any "help" from the router. What I really want is to use
> subset of IPSEC functionality to authenticate/encrypt payload
> using shared/key or certificates WITHOUT verification of source address.
> Verification of source address will be done by IP filter list part of
IPSEC
> policy and yes I know about possibility of
> attack such as spoofing source address together with breaking encryption
> 3DES certificate.
>
>
>
> "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> news:#ViSTG3fCHA.1652@tkmsftngp11...
> >
> > "Alexander Tarasul" <tarasul@hotmail.com> wrote in message
> > news:cb179245.0210290751.21c3d220@posting.google.com...
> > > I've read from mulitple places that ESP IPSEC from behind NAT is
> > > possible.
> > > Here is my scenario.
> > > I have Win2K server behind generic SOHO NAT/DHCP (for simplicity
> > > public address is 171.1.2.3, internal DHCP address is 192.168.0.5) and
> > > another Win2K server on the internet (say 172.3.2.1). NAT doing port
> > > translations.
> > > No NAT on destination server. No RAS server installed. I want to
> > > secure channel between them using IPSEC ESP (to authenticate and
> > > encrypt payload adding one more layer to layered security).
> > >
> > > I've actually got main mode established, but when destination host
> > > going into Quick Mode it's failing.
> > > The addresses configured in IPSEC are 171.1.2.3 and 172.3.2.1.
> > > In failure message written into EventLog I see that 192.168.0.5 is not
> > > configured.
> > > This mean for me that ESP still verify addresses.
> > > What am I doing wrong?
> > > Any step by step guide how to do this?
> >
> > First, if you're using Windows 2000 as a router, I would probably advise
> > using a real router... even a $70 Linksys NAT device will do "IPsec
> > Passthrough" to allow IPsec VPN.
> >
> > As you may already know, if you're also using AH in addition to ESP,
this
> > will cause a problem.
> >
> > This is about the extent of my knowledge on the subject, I hope it is
> > helpful. I'm not sure there is a way to get Win2000 IPsec to work with
> > Win2000 NAT. Further information can be found by searching
> > www.microsoft.com/support for "ipsec NAT"
> >
> >
>
>

• Next message: tech: "Re: Permissions for shared folders"
• Previous message: Wallace, David K.: "Re: Remote Console"
• In reply to: at: "Re: IPSEC from behind dumb NAT. How?"
• Next in thread: Christopher J. Black [MS]: "Re: IPSEC from behind dumb NAT. How?"
• Reply: Christopher J. Black [MS]: "Re: IPSEC from behind dumb NAT. How?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: IPSec Problem over Router ... > Subject: IPSec Problem over Router ... > NAT). ... > to establish an IPSec tunnel with that router. ... > Can anyone suggest a low cost Router with the ability ... (Security-Basics) Re: IPSEC from behind dumb NAT. How? ... I'm not expecting any "help" from the router. ... Verification of source address will be done by IP filter list part of IPSEC ... >> I've read from mulitple places that ESP IPSEC from behind NAT is ... >> No NAT on destination server. ... (microsoft.public.win2000.security) Re: IPSEC from behind dumb NAT. How? ... > I've read from mulitple places that ESP IPSEC from behind NAT is ... > No NAT on destination server. ... (microsoft.public.win2000.security) IPSEC from behind dumb NAT. How? ... I've read from mulitple places that ESP IPSEC from behind NAT is ... I have Win2K server behind generic SOHO NAT/DHCP (for simplicity ... (microsoft.public.win2000.security) Re: L2TP mit IPSec Verbindungsprobleme ... kann es doch weiterleiten wie ihm befohlen unter Portforwarding ESP! ... Mir fehlt noch das Passelstück um zu verstehen wo der Hase begraben ... In vielen Zeitschirften habe ich gelesen das IPSec mit NAT nicht ... Warscheinlich ist es billiger und Zeitschonender einen Router zu kaufen ... (de.comp.security.firewall)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint