At 11:45 AM 4/12/01 -0400, Charles Manafa wrote:
>I believe the issue here is a VPN client initiating an IPSEC tunnel behind a
>NAT device. This configuration does not work.
>
>A Cisco router or PIX can do a NAT then establish IPSEC tunnel with a remote
>end point. Once the tunnel is created, the non-IPSEC client, behind the
>router/PIX, can then use the tunnel to connect to the private network. This
>configuration works.
>
>Charles
Are you guys sure on this? I do not see why IPSec would break. Only if
you are using AH would I see it breaking since it cannot authenticate a
modified IP Header. You could probably get it to work behind a NAT if you
setup your IPSec to be ESP only, as opposed to ESP+AH. Of course, this
leaves you vulnerable to spoofing since IP Header integrity is no longer
checked.
I am behind a BSD NAT box, and I have used Netscreen's VPN Client, and the
Cisco VPN Client for the Altiga, and have connected successfully for months
without any problems. The BSD NAT box is using "NPAT" or, "PAT" as Cisco
would call it. I am using IPFilter which had a built in NAT software. I
have had problems with the Nortel Extranet (boo hiss!). And, the BSD NAT
box is not creating a LAN-to-LAN tunnel either. (which would work)
I can do some double checking to see if I am doing any special magic that I
have overlooked.
-Carroll Kong
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=347&t=321
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]