Firewall Wizards mailing list archives
Re: Terminating Secureclient on a private address range
From: stevewillis () optusnet com au
Date: Tue, 19 Sep 2006 10:22:58 +1000
HI Martin, Thanks for your reply, I will research some of these articles for future reference as I didn't think this would work. The only reference I found before was based around an unsupported workaround by Check Point, I don't have it to hand (its at home, but I will post a reference to it once I get home) Here is the response I received from Nokia IPSec and NAT are inherently not compatible protocols, as IPSec protects the packet's integrity, whereas NAT changes the IP header and TCP/UDP header. If both IPSec and NAT operations are supported in the same security device (like Check Point), then the problem can be avoided by performing the NAT operation before doing IPSec and making sure that the IPSec end-points are in the public address space. For scenarios where there is a NAT device in-between (NAT-in-the-middle problem), the IPSec standards group at IETF has proposed a new protocol called "NAT traversal (NAT-T)". Here, the IPSec packet is encapsulated within a UDP packet using the IKE UDP port 500. Negotiation of NAT-T support of the peers as well as detection of NAT presence in the path is done during IKE phase-I. So, if your ISP router can provide NAT-T functionality then it's possible but it will add complexity and performance will be little slow as there will be twice the encryption (Packet to IPSEC + IPSEC to UDP). I would suggest to use valid IP addresses like your current setup to avoid issues (performance and connectivity). After discussions with the ISP it transpires that they are now going to give us public addresses for our external interfaces. Many thanks to everyone who passed on advice
Martin Hoz <martinhoz () gmail com> wrote: On 9/13/06, stevewillis () optusnet com au <stevewillis () optusnet com au> wrote:Thanks for the input, unfortunately I'm running NGAI R55 HFA17You still should be able to put a "fake" external interface on your topology, enable dynamic interface resolving and get into business as a known workaround. As well, If you search for "SecuRemote" and "NAT" on SecureKnowledge you will find a few articles talking about this type of scenario. I've tried myself some of those tricks and they work ;-) Good luck! - Martín. -- **** ¿Hoy qué haz hecho para ahorrar agua? - What have you done today to save water? - O que você têm feito hoje para conservar a água? ** Mi página web: http://gama.fime.uanl.mx/~mhoz/ * "Somos consecuencia del pasado, y causa de nuestro futuro." ** My Linux - http://www.slackware.com == My BSD - http://www.openbsd.org _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Terminating Secureclient on a private address range Steve Willis (Sep 13)
- Re: Terminating Secureclient on a private address range Martin Hoz (Sep 13)
- Re: Terminating Secureclient on a private address range Chuck Swiger (Sep 13)
- <Possible follow-ups>
- Re: Terminating Secureclient on a private address range stevewillis (Sep 14)
- Re: Terminating Secureclient on a private address range Martin Hoz (Sep 17)
- Re: Terminating Secureclient on a private address range stevewillis (Sep 19)