IPSec and TCP
Chris Carlson
carlsonmail at yahoo.com
Tue Oct 5 20:05:35 EDT 1999
John,
You're probably going to have a hard time "proxying"
IPSec traffic through a firewall since IPSec is
sensitive to network address translation and
modification of its original packets, akin to what
proxying does.
Quick reponse, you have a few choices:
1) Use packet filtering and full routing, not
proxying, to permit IPSec, which is UDP and two other
IP types (IP 50,51);
2) Use packet filtering with static one-to-one NATs
for incoming traffic -- some VPNs are sensitive to
this can can't do it, others like CheckPoint can;
3) Terminate your IPSec sessions at your proxy
firewall, and allow clear text inside;
4) Terminate your IPSec sessions at your proxy
firewall, and set up inside tunnels from your firewall
to internal hosts.
5) Use a VPN product that runs in parallel to your
firewall, so you don't have to deal with it in the
first place!
Can anybody think of others?
Good luck!
Chris
--
--- John Smith <chomsky at dor.state.ma.us> wrote:
>
> Hi,
>
> I'm new to IPSec and am trying to find a way to
> squeeze it through a
> proxy-based firewall. It appears that IPSec is not
> TCP-based, but rather
> uses another protocol. Is this the case? If so,
> does anyone know of a
> firewall that proxies non-TCP or UDP based
> protocols?
>
> Thanks
>
> JPS
> Mass DOR
>
>
>
>
>
****************************************************************
> TO POST A MESSAGE on this list, send it to
> vpn at listserv.secnetgroup.com
>
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html
>
> We are currently experiencing "unsubscribe"
> difficulties. If you
> wish to unsubscribe, please send a message
> containing the single line
> "unsubscribe vpn your-e-mail-address" to
> owner-vpn at listserv.secnetgroup.com
>
>
****************************************************************
>
=====
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com
****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html
We are currently experiencing "unsubscribe" difficulties. If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
****************************************************************
More information about the VPN
mailing list