Security Basics mailing list archives

Re: IPSec Problem over Router

From: Peter Wohlers <pedro () whack org>
Date: Thu, 25 Sep 2003 23:43:56 -0700

Rodney Green wrote:

red temptation wrote:

hi,

we have a Problem concerning IPSec. We want to create
a tunnel from a WinXP Laptop (located on the Internet
with an official IP), to a private Network (using
NAT). For authentication purpose we use certificates.

It's no problem to open Port 500 on our current
Network-Router, but Protocol 50 and 51 are not
supported while using NAT. That's why we are not able
to establish an IPSec tunnel with that router.

Can anyone suggest a low cost Router with the ability
to store certificates and enable us to establish the
tunnel. It should have an included firewall.

What router do you have? IP 50 should work with NAT because the IPheader is not included in the authenticated data so it's passed throughNAT without problems.

The problem with NAT and ip protocols 50 and 51 is twofold. They don'thave any concept of 'ports' as in udp or tcp that NAT uses to fuction.These protocols also don't have any 'state' per se, so firewalls getcrabby with them too. The way to get around it is through NAT-T, or nattransversal, which basically encapsulates these protocols inside of udp(or in some implementations, tcp) so that they can be natted withoutissue. This function basically is something that needs to be supportedbetween the vpn client and server.

MS has recently published a free enhancement, the Advanced Network Packthat may help you, as it adds NAT transversal capability. I haven'tplayed with it yet, but you can't argue with the price ;) It may be whatyou're looking for.


http://www.microsoft.com/downloads/details.aspx?FamilyID=e88cc382-8ce6-4739-97c0-1a52a6f005e4&DisplayLang=en

Good luck :)

You could also possibly build a router-to-router tunnel and just definethe two hosts in question as the boundaries of the encryption domain.The Cisco 1700 series can do that, and it supports certificates. Howrigid is the certificates issue? If you wanted to use pre-shared keys,it would open up your options a bit as well.


--
Peter Wohlers


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

IPSec Problem over Router red temptation (Sep 25)
- Re: IPSec Problem over Router Rodney Green (Sep 25)
  - Re: IPSec Problem over Router Peter Wohlers (Sep 26)
- <Possible follow-ups>
- RE: IPSec Problem over Router Charlie Winckless (Sep 25)