IPSec and TCP

Chris Carlson carlsonmail at yahoo.com
Tue Oct 5 20:05:35 EDT 1999 

John,

You're probably going to have a hard time "proxying"
IPSec traffic through a firewall since IPSec is
sensitive to network address translation and
modification of its original packets, akin to what
proxying does.

Quick reponse, you have a few choices:

1) Use packet filtering and full routing, not
proxying, to permit IPSec, which is UDP and two other
IP types (IP 50,51);

2) Use packet filtering with static one-to-one NATs
for incoming traffic -- some VPNs are sensitive to
this can can't do it, others like CheckPoint can;

3) Terminate your IPSec sessions at your proxy
firewall, and allow clear text inside;

4) Terminate your IPSec sessions at your proxy
firewall, and set up inside tunnels from your firewall
to internal hosts.

5)  Use a VPN product that runs in parallel to your
firewall, so you don't have to deal with it in the
first place!


Can anybody think of others?

Good luck!

Chris
--

--- John Smith <chomsky at dor.state.ma.us> wrote:
> 
> Hi,
>  
>  I'm new to IPSec and am trying to find a way to
> squeeze it through a
>  proxy-based firewall. It appears that IPSec is not
> TCP-based, but rather
>  uses another protocol. Is this the case? If so,
> does anyone know of a
>  firewall that proxies non-TCP or UDP based
> protocols?
>  
>  Thanks
>  
>  JPS
>  Mass DOR
>  
>  
>  
> 
>
****************************************************************
> TO POST A MESSAGE on this list, send it to
> vpn at listserv.secnetgroup.com
> 
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html
> 
> We are currently experiencing "unsubscribe"
> difficulties.  If you
> wish to unsubscribe, please send a message
> containing the single line
> "unsubscribe vpn your-e-mail-address" to
> owner-vpn at listserv.secnetgroup.com
> 
>
****************************************************************
> 


=====

__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************

More information about the VPN mailing list