Re: Onegate 1000 passing IPSEC traffic through?

[Jeffery.Gieser () minnesotamutual com]

Victor,

#Access to the internet is provided by Onegate 1000 box, and it is
#performing NAT service.

#I'd like to know if anyone had experience with setting the Onegate box
#for passing the IPSEC traffic through, or am I fighting a lost cause?

I don't know anything about Onegate but I can give you some tips on passing
IPSec traffic.  I would check for two things.

1.  Is your VPN using AH (protocol 51)?  A VPN only needs to use ISAKMP
(UDP port 51) and ESP (protocol 50).  The issue with AH is since it is used
for authenticating headers and NAT changes part of the header AH does not
work with NAT.

2.  THe second issue is with ISAKMP.  ISAKMP must have a source port and a
destination port of UDP port 500.  If your Onegate is changing the source
port to a random port above 1023 then the VPN will not work.

A sniffer should show you whether or not you are encountering either
problem.

Regards,
Jeffery Gieser

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards