RE: VPN through DSL

["Joe Keegan" <joe () jjk3 com>]

I thought that NAT only affected AH and not ESP.

This is due to the fact that AH generates its ICV based on the whole
packet (minus the mutable fields, such as TTL). When the packets goes
through a NAT, the header changes and the ICV no longer matches.

ESP does not include the IP header at all when calculating the ICV, so
NATs do not effect ESP.

If the statement above is correct, then her NAT should not be part of
the problem. Unless of course she was using AH, instead of ESP, but then
there would be no encryption and it would kind of miss the point of the
VPN over the Internet.

Joe

-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com] On Behalf Of
rob.roberson () verizon com
Sent: Wednesday, March 13, 2002 10:45 AM
To: firewall-wizards () nfr com
Subject: RE: [fw-wiz] VPN through DSL


My company uses the same Nortel client. I run it behind a Linux/IPTables
packet filter utilizing NAT. It works great.

Most likely it is the DSL provider.

~Rob Roberson

---------------



On Wed, 13 Mar 2002, Peter Lukas wrote:

Sounds like your VPN software runs on your client machine and your DSL
router is running NAT. This will cause problems for most any VPN
connection. It is also possible that your provider is blocking certain
protocols required for VPN connections as Jeffrey points out.

Verify that your DSL router is running NAT and investigate options to
obtain static IP addresses for your client machines from your provider.
Short of that, you'll need to determine whether or not your VPN software
can be used behind a NATed connection.

Good Luck!

Peter Lukas



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards