Linux IP Masq and Nortel Extranet Client

Matt McConnell mmcconnell at COMPATIBLE.COM
Tue Jan 4 12:13:30 EST 2000 

Several VPN products (including ours) provide a "NAT compatible" transport
mode using IPSec ESP.  This is a configurable option, very important for
running clients behind many cablemodems, DSL modems, or corporate LAN NAT
devices.

Matt

Matt McConnell
President & CEO
Compatible Systems Corporation
http://www.compatible.com/

-----Original Message-----
From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of
Thibodeau, Gregg
Sent: Tuesday, January 04, 2000 9:01 AM
To: VPN at SECURITYFOCUS.COM
Subject: Re: Linux IP Masq and Nortel Extranet Client


The problem is most like with many to one NAT.  IPSEC will not work with
many to one NAT unless the firewall/gateway is specifically designed to
handle this configuration.

IPSEC requires that both source and destination ports used during connection
setup be 500.  Most boxes doing many to one NAT change the source port.  The
Contivity Extranet Switch will not respond to the setup request since the
source port is not 500.  Even after that, the firewall/gateway needs to use
the SAs in the IPSEC traffic running on IP 50 to keep track of the original
source.

The only device that we have found that will support outgoing IPSEC and many
to one NAT is Nortel's Instant Internet.

Gregg

-----Original Message-----
From: jmaegli [mailto:jmaegli at PCPROS.NET]
Sent: Tuesday, January 04, 2000 10:39 AM
To: VPN at SECURITYFOCUS.COM
Subject: Linux IP Masq and Nortel Extranet Client


Hello,
I have a NT laptop running Nortel Networks Extranet client. When I dialin to
my ISP the client connects and everything works great.  Now the rub, I have
an at home network with 5 Win 98 and NT boxes, one sun and 3 Linux
workstations. One of the Linux boxes is my gateway to the internet.
This box has the modem and all other boxes use this as their gateway. When I
make my connection, everything works fine, HTTP, Email, Telnet etc. but when
I try to connect the client (the one that works as mentioned before) I can
not connect and get the message "Failure Do to remote host not responding" I
do see a UDP packet on port 500 and my firewall is opened up so I'm not
getting blocked there.
If anyone has any thoughts or white papers on this kind of setup especially
with a Linux gateway please let me know.   Thanx so much for your time.

John Maegli
Systems Engineer
Sterling Software
Office (715) 848-2682
john.maegli at sterling.com

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list