[VPN] IPsec client through NAT - how?

Joseph S D Yao jsdy at center.osis.gov
Fri May 30 00:05:14 EDT 2003

I had thought I had understood the problem with IPsec and NAT, but
perhaps I don't.

We have people coming in to our IPsec server (Nortel Contivity 2600)
from a wide number of different configurations, some of which are
protected by firewalls of one kind or another.

One site has a Checkpoint Firewall-1 device, doing many-to-many NAT.
They were able to assign a workstation a static IP address, and do a
static NAT to an external address.  ESP, AH, and ISAKMP are open both
ways.  This person appears to be able to do IPsec just fine.  But, of
course, this is not a generalisable solution - there are not enough IP
addresses on the outside to tie them down like this for too many users.

Another site has CP FW1 doing many-to-one NAT.  With one external IP
address and internal dynamic IP addresses, they are unable to do a
static NAT for both reasons.  They are unable to set up the IPsec
tunnel after authentication, and I thought I understood why.

But another site - using, I think, a SonicWall "firewall" appliance -
also has many-to-one NAT and dynamic IP, and they are able to set up
IPsec tunnels and talk with us for a while.  They do go down after a
while, but I think that has something to do with traffic on a site-to-
site IPsec tunnel that they also have.  ;-}

And several users say that they are doing dynamic IP on their home LANs
behind a DSL or cable modem "firewall" that is also doing NAT, and that
they can attach rock-solid.

What is the difference here that I am missing?  Is the CP FW1 NAT that
different from those of these other "firewall" devices [that I believe
are basically stateful filtering routers]?

Has anyone tried the new Nortel Contivity VPN client: does it fix this?
Does it open any new problems?


Joe Yao				jsdy at center.osis.gov - Joseph S. D. Yao
OSIS Center Systems Support					EMT-B
   This message is not an official statement of OSIS Center policies.

More information about the VPN mailing list