IPSec and TCP

Chris Carlson carlsonmail at yahoo.com
Mon Oct 11 22:03:33 EDT 1999


Isolation Systems, bought by Shiva, bought by Intel
can do the same thing.  They tunnel all IPSec packets
through a single UDP port, 2233, which is proxyable
and/or NAT-able.

That was a year ago when I looked at them, so I'm not
sure if they've become IPSec compliant.

As for tunneling IPSec in ANYTHING, that scares me,
non-compliance aside.  I subscribe to the
security-in-depth model where the perimeter
routers/firewalls only permit IPSec traffic to the
destined VPN gateway.  If you tunnel IPSec in another
other protocol, what else can ride through that?  What
if your VPN gateway is also your firewall that has Web
proxies running on it?  Ugh.

This goes back to the first question... why would you
need to proxy IPSec in the first place?  If you use
IPSec tunnel mode then you would only need one
publicly routable IP address for your VPN gateway
anyway.

I would rather have the VPN gateway on the outside,
protected by a screening router permitting only IPSec,
and then back-end connect the VPN gateway to another
interface on your proxy firewall.  Now you have full
proxy control/audit for your previously authenticated
VPN users before they even get into the internal
network.  And if you want to do further authentication
on the back-end firewall, go nuts!

Good luck anyway.
Chris
--

--- Eric Henriksen <eric_h at earthlink.net> wrote:
> Does anyone know any  more about this?  Sound like
> it would be difficult to
> maintain IPSec compliance, but solve a rather large
> issue in dealing with
> IPSec VPNs across firewalls.
> 
> Eric
> ----- Original Message -----
> From: <guy.raymakers at europe.eds.com>
> To: Chris Carlson <carlsonmail at yahoo.com>
> Cc: <Vpn at listserv.secnetgroup.com>
> Sent: Friday, October 08, 1999 6:12 AM
> Subject: Re: IPSec and TCP
> 
> 
> >
> >
> >
> > John,
> >
> > Compatible systems (http://www.compatible.com/)
> have an ipsec
> implementation
> > that allows Ipsec over a proxy. If I remember
> corretly, they can put ipsec
> in
> > http packets.
> >
> > Best regards,
> > Guy
> >
> >
> >
> > To:   John Smith <chomsky at dor.state.ma.us>,
> vpn at listserv.secnetgroup.com
> > cc:    (bcc: Guy Raymakers/BE/EDS)
> > Subject:  Re: IPSec and TCP
> >
> >
> >
> > John,
> >
> > You're probably going to have a hard time
> "proxying"
> > IPSec traffic through a firewall since IPSec is
> > sensitive to network address translation and
> > modification of its original packets, akin to what
> > proxying does.
> >
> > Quick reponse, you have a few choices:
> >
> > 1) Use packet filtering and full routing, not
> > proxying, to permit IPSec, which is UDP and two
> other
> > IP types (IP 50,51);
> >
> > 2) Use packet filtering with static one-to-one
> NATs
> > for incoming traffic -- some VPNs are sensitive to
> > this can can't do it, others like CheckPoint can;
> >
> > 3) Terminate your IPSec sessions at your proxy
> > firewall, and allow clear text inside;
> >
> > 4) Terminate your IPSec sessions at your proxy
> > firewall, and set up inside tunnels from your
> firewall
> > to internal hosts.
> >
> > 5)  Use a VPN product that runs in parallel to
> your
> > firewall, so you don't have to deal with it in the
> > first place!
> >
> >
> > Can anybody think of others?
> >
> > Good luck!
> >
> > Chris
> > --
> >
> > --- John Smith <chomsky at dor.state.ma.us> wrote:
> > >
> > > Hi,
> > >
> > >  I'm new to IPSec and am trying to find a way to
> > > squeeze it through a
> > >  proxy-based firewall. It appears that IPSec is
> not
> > > TCP-based, but rather
> > >  uses another protocol. Is this the case? If so,
> > > does anyone know of a
> > >  firewall that proxies non-TCP or UDP based
> > > protocols?
> > >
> > >  Thanks
> > >
> > >  JPS
> > >  Mass DOR
> > >
> > >
> > >
> > >
> > >
> >
>
****************************************************************
> > > TO POST A MESSAGE on this list, send it to
> > > vpn at listserv.secnetgroup.com
> > >
> > > The VPN FAQ (under construction) is available at
> > > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html
> > >
> > > We are currently experiencing "unsubscribe"
> > > difficulties.  If you
> > > wish to unsubscribe, please send a message
> > > containing the single line
> > > "unsubscribe vpn your-e-mail-address" to
> > > owner-vpn at listserv.secnetgroup.com
> > >
> > >
> >
>
****************************************************************
> > >
> >
> >
> > =====
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Bid and sell for free at http://auctions.yahoo.com
> >
> >
>
****************************************************************
> > TO POST A MESSAGE on this list, send it to
> vpn at listserv.secnetgroup.com
> >
> > The VPN FAQ (under construction) is available at
> > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html
> >
> > We are currently experiencing "unsubscribe"
> difficulties.  If you
> > wish to unsubscribe, please send a message
> containing the single line
> > "unsubscribe vpn your-e-mail-address" to
> owner-vpn at listserv.secnetgroup.com
> >
> >
>
****************************************************************
> >
> >
> >
>
****************************************************************
> > TO POST A MESSAGE on this list, send it to
> vpn at listserv.secnetgroup.com
> >
> > The VPN FAQ (under construction) is available at
> > http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html
> >
> > We are currently experiencing "unsubscribe"
> difficulties.  If you
> > wish to unsubscribe, please send a message
> containing the single line
> > "unsubscribe vpn your-e-mail-address" to
> owner-vpn at listserv.secnetgroup.com
> >
> >
>
****************************************************************
> >
> 
> 


=====

__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************




More information about the VPN mailing list