Firewall Wizards mailing list archives
Re: Onegate 1000 passing IPSEC traffic through?
From: Jeffery.Gieser () minnesotamutual com
Date: Fri, 26 Jan 2001 08:23:58 -0600
Victor, #Access to the internet is provided by Onegate 1000 box, and it is #performing NAT service. #I'd like to know if anyone had experience with setting the Onegate box #for passing the IPSEC traffic through, or am I fighting a lost cause? I don't know anything about Onegate but I can give you some tips on passing IPSec traffic. I would check for two things. 1. Is your VPN using AH (protocol 51)? A VPN only needs to use ISAKMP (UDP port 51) and ESP (protocol 50). The issue with AH is since it is used for authenticating headers and NAT changes part of the header AH does not work with NAT. 2. THe second issue is with ISAKMP. ISAKMP must have a source port and a destination port of UDP port 500. If your Onegate is changing the source port to a random port above 1023 then the VPN will not work. A sniffer should show you whether or not you are encountering either problem. Regards, Jeffery Gieser _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Onegate 1000 passing IPSEC traffic through? Victor (Jan 25)
- <Possible follow-ups>
- RE: Onegate 1000 passing IPSEC traffic through? Wigg, Guy G (Jan 26)
- Re: Onegate 1000 passing IPSEC traffic through? Jeffery . Gieser (Jan 26)
- Re: Onegate 1000 passing IPSEC traffic through? Crist Clark (Jan 26)
- Re[2]: Onegate 1000 passing IPSEC traffic through? Victor (Jan 26)
- Re: Onegate 1000 passing IPSEC traffic through? Crist Clark (Jan 26)