Firewall Wizards mailing list archives

ipsec nat traversal-conclude

From: "Fredrik Lindström" <fredrik () dunenets net>
Date: Tue, 4 Mar 2003 17:20:49 +0100 (CET)

Hi Simon,

The first scenario assumes that you have public IP adressen and don't NAT
in the first firewall, and it will work in that case.

The second is a way around it, Check Point, and others, have support for
tunneling over UDP. In Check Points case it's UDP 2746 default. You still
need to allow IKE and FW1_topo though.

With FireWall-1 NG FP4, Check Point will also have support for tunneling
over TCP, default port 443 (HTTPS).

Regards

Fredrik

Message: 1
To: firewall-wizards () honor icsalabs com
From: SimonChan () lifeisgreat com sg
Date: Mon, 3 Mar 2003 21:23:57 +0800
Subject: [fw-wiz] ipsec nat traversal-conclude

Hi all,

having gone over various source. I've come to this conclusion for the
following scenario :

          IPsec Client------  FW Nat (nat)  ---- FW/VPN Nat(nat)
------Lan

(the 2nd Fw/VPN has a public Ip which is static natted by the 1st FW)

The IPSec Client can only connect  to the terminating VPN gateway
behind the 1st FW
on the following conditions

* the IPsec is using ESP transport (does not encrypt the IP header,
only the payload)
     (ESP tunnel will encrypt the IP header, AH will perform Hash on
the
IP
header causing NAT to fail)

Some queries still bugging me.

* I have suggestion to open IP protocol 50-ESP and 51-AH and UDP
500-Ike Is this sufficient ??

*Some VPN client e.g. secuRemote can encapsulate
IPSec packets in another layer of UDP so any NAT along the path
doesn't try to alter the IP header.

Is the above 2 methods an alternative to IPSec Nat transversal ?

tks.

Rgds,

Simon

---------------------------------------------------------------------------------

CONFIDENTIALITY CAUTION :
The email is only for the use of the person or entity to whom it is
addressed and contains information that is privileged and
confidential. If you, the reader of this email are not the intended
recipient, any distribution, copying or dissemination of this email is
strictly prohibited. If you have received this email in error, please
contact the sender immediately by return email and delete this email.
Thank you. Please visit our website at http://www.lifeisgreat.com.sg.

---------------------------------------------------------------------------------

--__--__--

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

End of firewall-wizards Digest



__________________
Fredrik Lindström
www.dunenets.net
(Live a long life)



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

ipsec nat traversal-conclude SimonChan (Mar 03)
- Re: ipsec nat traversal-conclude Dave Rinker (Mar 03)
- <Possible follow-ups>
- ipsec nat traversal-conclude Fredrik Lindström (Mar 04)