Re: ipsec nat transversal

["Patrick M. Hausen" <hausen () punkt de>]

Hi!

> I have an existing Firewall / VPN gateway and we have remote users vpn
> client connecting to it.
>
> We are in the process of putting an additional firewall in front of the
> existing firewall.
> If both Firewalls are running NAT, can the remote vpn client connect to the
> 2nd Firewall.
>
> I understand that the term "ipsec Nat transversal" function is required on
> the 1st firewall
> in order to allow IPSec traffic to pass through.
>
> Is that Correct ?

Both the VPN client and your existing firewall need to support
that. NAT traversal is an IETF draft proposing to encapsulate
IPSec packets in another layer of UDP so any NAT along the path
doesn't try to alter the IP header (which is protected by AH).

Look here:

http://www.sandelman.ottawa.on.ca/ipsec/2000/07/msg00109.html
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-05.txt

This is what google gave me at the first try, you may need to search
a little more.

HTH,
Patrick
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Scheffelstr. 17 a     Tel. 0721 9109 -0 Fax: -100
76135 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards