Security Basics mailing list archives
Re: VPN problems
From: Kim Guldberg <kim () bufferzone dk>
Date: Tue, 12 Jun 2007 20:18:36 +0200
If your VPN uses IPSec's AH protocol it doesn't matter how NAT-T aware your router is. AH is entirely incompatible with NAT and will not work with NATed connections. Regards Ansgar Wiechers
Exactly !!!If I don't remember incorrectly you can get around the problem with NAT by placing the VPN gateway in such a way that it bypasses the router. This will remove the problems with NAT but create security issue.
All those claiming that IPSec does not have NAT problems must be bypassing the firewall/router.
Another solution could be to use e.g. a Cisco VPN gateway. Cisco has solved the NAT problem by encapsulating the IPSec packet in yet another IP header. This solution is proprietary of course. Maybe zywall has something along this
Regards Kim Guldberg CPSA, GCFW
Current thread:
- VPN problems Diarmaid McManus (Jun 08)
- Re: VPN problems Kim Guldberg (Jun 09)
- Re: VPN problems Anil Saini (Jun 11)
- Re: VPN problems Ansgar -59cobalt- Wiechers (Jun 11)
- Re: VPN problems Kim Guldberg (Jun 12)
- Re: VPN problems Diarmaid McManus (Jun 11)
- Re: VPN problems Anil Saini (Jun 11)
- Re: VPN problems Kim Guldberg (Jun 09)
- <Possible follow-ups>
- Re: VPN problems alexbnedelcu (Jun 11)
- Re: Re: VPN problems jens . frey (Jun 13)