[VPN] IPsec and IKE in an dynamic NAT environment

Siddhartha Jain losttoy2000 at yahoo.co.uk
Mon Feb 3 01:26:44 EST 2003


You might really not need NAT Traversal. If your IPSec
SA is only ESP then NAT between the VPN gateway and
clients should work. 

However, if you using AH or AH+ESP then NAT poses a
problem which can be overcome by using NAT Traversal.
The feature must be supported, both in the VPN Gateway
as well as the VPN Client.

What VPN device are you using?


 --- Nicolas Saurbier <Nicolas.Saurbier at biodata.de>
wrote: > Hi All,
> 
> this is the first time, I post into this list, so
> "Hi everybody!!!"
> 
> Now I need a little help:
> 
> Situation:
> I have a VPN-Gateway with an official IP-address
> attached directly
> to the internet. I have a Router that does ISDN
> dial-up to my ISP.
> The Router doesn´t get a fixed IP-address. The
> Router is doing
> Masquerading (192.168.0.0/24 => x.x.x.x/32)
> 
> How it should work:
> The users in my 192.168.0.0/24 network shall use
> Software IPsec-clients,
> I chose "SSH Sentinel 1.4". My problem is, that the
> IKE is working fine,
> but the VPN-Gateway denies all incoming esp-packets
> and sends back an
> ICMP-packet "Proto 50 unreachable"
> 
> SSH Sentinel has got an option called "NAT
> traversel"....did any1 of you
> ever work with SSH Sentinel??? Any1 of you doing the
> same as me?
> 
> NIC
> 
> 
> 
> 
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn 

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com



More information about the VPN mailing list