Firewall Wizards mailing list archives

Re: ipsec nat traversal-conclude

From: Dave Rinker <firewall () dsrtech com>
Date: 03 Mar 2003 18:43:17 -0500



The latter is your  best bet.

IPSec packets in another layer of UDP so any NAT along the path
doesn't try to alter the IP header.


I don't know the FW your using but I've read Cisco will have ESP NAT/PAT
transversal in it's 6.3 release.

best of luck.



On Mon, 2003-03-03 at 08:23, SimonChan () lifeisgreat com sg wrote:

Hi all,

having gone over various source. I've come to this conclusion for the
following scenario :

          IPsec Client------  FW Nat (nat)  ---- FW/VPN Nat(nat) ------Lan

(the 2nd Fw/VPN has a public Ip which is static natted by the 1st FW)

The IPSec Client can only connect  to the terminating VPN gateway  behind
the 1st FW
on the following conditions


* the IPsec is using ESP transport (does not encrypt the IP header, only
the payload)
     (ESP tunnel will encrypt the IP header, AH will perform Hash on the IP
header causing NAT to fail)


Some queries still bugging me.

* I have suggestion to open IP protocol 50-ESP and 51-AH and UDP 500-Ike
Is this sufficient ??

*Some VPN client e.g. secuRemote can encapsulate
IPSec packets in another layer of UDP so any NAT along the path
doesn't try to alter the IP header.

Is the above 2 methods an alternative to IPSec Nat transversal ?



tks.

Rgds,

Simon




---------------------------------------------------------------------------------

CONFIDENTIALITY CAUTION :
The email is only for the use of the person or entity to whom it is
addressed and contains information that is privileged and confidential. If
you, the reader of this email are not the intended recipient, any
distribution, copying or dissemination of this email is strictly
prohibited. If you have received this email in error, please contact the
sender immediately by return email and delete this email. Thank you. Please
visit our website at http://www.lifeisgreat.com.sg.

---------------------------------------------------------------------------------


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

ipsec nat traversal-conclude SimonChan (Mar 03)
- Re: ipsec nat traversal-conclude Dave Rinker (Mar 03)
- <Possible follow-ups>
- ipsec nat traversal-conclude Fredrik Lindström (Mar 04)