[vpn] Hi all. [VPN via NAT]

Richard McMahon Richard.McMahon at Appropria.com
Thu Aug 16 08:09:56 EDT 2001


Scott,

Dont worry thats why lists exist for people to share experiences and offer
their opinion, regardless of contradiction or not.  

I was more talking about it not being a good thing to have a IPSEC VPN
server behind a NAT engine.  PPTP should work fine with NAT as it does
things differently to IPSEC.  

Our 3com ss firewall now does not react well to multiple hosts behind a NAT
box.  It worked fine with the old firmware but the upgrade has stopped this
function from operating (first person in works others fail to connect).  The
current encryption method for our clients is Encrypt & Authenticate (ESP DES
HMAC MD5) so as far as I can see it should work, but unfortunately it
doesnt.  Equally unfortunate is that we have to use the new firmware because
it fixes bugs in things we require ;).

I will need to play arround with it more to see if I can get it to work
again.


Cheers,

Richard



-----Original Message-----
From: Scott C. Best [mailto:sbest at best.com]
Sent: 15 August 2001 22:20
To: Richard McMahon
Cc: 'VPN at securityfocus.com'
Subject: RE: [vpn] Hi all. [VPN via NAT]


Richard:

	Not be be contradictory, but my experience with
IPSec across a NAT'ing firewall (leaf.sf.net) are much
more positive. Of course, the AH protocol of IPSec won't 
work with port-forwarding, but tunnel-mode ESP without AH 
will. 
	And, importantly, I use ipfwd instead of ipmasqadm 
to handle IP protocols 50 and 51, sending them across the
firewall to the *broadcast address* of the internal LAN.
Now I can run multiple IPSec VPN clients on my LAN, which 
each connect simultaneously to independent VPN servers. The 
application layer clients seem to be able to handle the 
confusion. I tried this with some PPTP clients as well with 
equal "success".

	Tradeoff is, obviously, the sacrifice of benefits
of the AH protocol. But what works feels good.

cheers,
Scott


On Wed, 15 Aug 2001, Richard McMahon wrote:

> If it is IPSEC you will probably have big problems as it will not pass the
> protocol properly, you are best giving the VPN server a live address and
not
> a mapped one.
> 
> -----Original Message-----
> From: Alex [mailto:AlexY at aof.nursat.kz]
> Sent: 14 August 2001 12:24
> To: VPN at securityfocus.com
> Subject: [vpn] Hi all. [VPN via NAT]
> 
> 
> Hi all..
> 
> Where can I find info about how VPN will work via NAT translation.
> 
> If I have the VPN Server with local IP, behind FireWall.
> 
> The VPN client is connecting to any ISP, and getting reall IP address. =20
> 
> They are connecting to FireWall reall IP, and FireWall will making NAT.
> 
> 
> 
> Thanks.
> 
> Alex.
> 
> 
> 
> VPN is sponsored by SecurityFocus.com
> 
> VPN is sponsored by SecurityFocus.com
> 
> 


VPN is sponsored by SecurityFocus.com

VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list