VPN client interoperability

[Jose Muniz]

Martin is right. i will like just to add a comment..
It is better to perform NAT at either end of the IPSec tunnel
and it works quite nice.
Here is when is much better to have the VPN device well implemented with
a
firewall. Firewalls [Depends on the firewall] can do NAT[PAT] as well as
static NAT or 1 to 1. The nicest thing is that you can also do source
and or
destination NAT at one end or both ends.
Very usefull when for example there is machine 10.1.1.1 in Network A,
that
needs to communicate to machine 10.1.1.1 on Network B.
That is the real beauty of NAT....


Jose Muniz.

Martin Machacek wrote:
>
> On 15-May-00 Michael Louie wrote:
> > Stupid question fellas.......but it shouldn't matter if I use X brand VPN
> > client and Y brand VPN server right?  --I intend on using ISAKMP w/ NAT
>
> Unfortunately it does matter! I assume than with VPN you mean IPsec based one.
> IPsec is quite complicated standard (or better to say set of standards) and
> as a result of that there are incompatibilites  between different
> implementations. Most frequently they are in key exchange, i.e. ISAKMP (or
> how it is called now IKE). One more warning - it is quite complicated to run
> IPsec based VPN over (any kind of) address translation. First of all you must
> not use the AH (authenticating header) part of IPsec and you must use static NAT
> (1-to-1 mapping). Even with that whether your setup will work depends on the
> IPsec implementation. In most cases it is better to have the VPN server in
> parallel to the NAT device or on the same machine.
>
>         Martin
>
> ---
> [PGP KeyID F3F409C4]
>
> VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM