<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Travis,<br>
<br>
Yes, that's exactly what I'm trying to do, but I haven't played any MTU
games at all. PAT is probably the most common configuration for small
offices with a small firewall, frequently with a DSL connection
providing a single dynamic IP address to the firewall. In this
situation, it would be nice to be able to use a VPN client from the
LAN, but since there are still some clients that don't do NAT-Traversal
(or any other form of encapsulation), support for pure IPSec pass-thru
would be nice. It'd be even nicer if it could handle multiple
simultaneous clients, but I'd settle for even one at a time. My cheap
little Linksys and Netgear routers at home can do this, so it doesn't
seem too much to expect the Netscreen to do it also. I'm even willing
to believe that it can, but I haven't found a way to do it. I did,
however, find a few queries about this exact issue on a Netscreen user
forum, but no replies with solutions.<br>
<br>
The symptoms are the classic ones when ESP isn't supported through PAT
- ISAKMP succeeds, as does user authentication, and the VPN connection
appears to be up, but no incoming data to the client works. If I use
NAT-T everything is fine, but some of the places I connect to don't
support NAT-T yet, so that's not always an option. Like I said, I'm
willing to believe this is possible and that I just haven't found the
correct incantation, but I think I've tried the obvious things (though
I'm not nearly as comfortable with the Netscreen as I am with the PIX
and other Cisco products - maybe they've polluted my brain).<br>
<br>
Thanks!<br>
<br>
Dana<br>
<div class="moz-signature"><br>
<img moz-do-not-send="true" src="file:///C:%5CMy%20Signature%20File.gif"
border="0"></div>
<br>
<br>
Travis Watson wrote:
<blockquote cite="mid200404121847.38871.travis@traviswatson.com"
type="cite">
<pre wrap="">Dana,
I guess I'm not quite following. Are you talking about outbound IPSec client
connections? That shouldn't be a problem at all unless you tweaked the MTU
to a small size on purpose. You aren't trying to PAT outbound connections,
are you?
--Travis
</pre>
</blockquote>
</body>
</html>