Comments inline: -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of NRF Sent: Thursday, June 21, 2001 9:06 PM To: [EMAIL PROTECTED] Subject: IPsec passthru with Linksys or D-link ,what's up with that? [7:9473] I have been reading that companies like Linksys and D-link sell those cheap home broadband routers that now support IPsec passthru. I take it that means that one of your PC's can use VPN client software to build a IPSec tunnel to a corporate network. > Yes, one PC at a time can get IPSec connections through the PATing device So how does this passthru thing work exactly? It would seem to me to violate the cherished notion that NAPT (which is what is performed by these little routers to allow multiple home PC's to access the same broadband link) should never be used after IPsec. > IPSec can be made to work with NAPT (PAT) in limited scenarios, people like > to say it cannot because its simpler to explain to people who don't know > exactly how IPSec works. More specifically, I take it that most of those VPN client software setups are using ESP transport mode. > Not so. In almost all cases, the client to VPN gateway connection uses ESP in > tunnel mode, not transport. The reason is simple, ESP in transport mode would > only get you access to the VPN gateway itself. Typically clients don't want > to talk directly to the VPN gateway, they want to talk to devices on the > inside network, hence the need for tunnel mode. OK, so how exactly do these routers perform NAPT on an ESP transport connection? > They don't, and they can't. As you note, chaning the IP address on a ESP packet > in transport mode would break IPSec. I suppose there really is no "port translation" anymore, because the TCP/UDP port number are protected by ESP and cannot be changed without compromising the integrity of the IPSEC tunnel. So perhaps SPI's are used by the router to demux, otherwise then that would imply that there could only be 1 IPsec tunnel going through the router at a given instance (because if SPI's are not used, and you had 2 PC's in your house and both were doing VPN's, then how would the router know what VPN return traffic goes to which PC?). > Actually, in my experience devices that support IPSec passthrough do not look > at the SPI's, so they do only support a single inside IPSec device at a time. > Watching SPI's could probably be made to work, I just don't think any of the > vendors are doing it right now. Also I see a problem with the TCP/UDP header checksum, because it is calculated based on the entire header (the "pseudo-header"), which must necessarily change because of the NAT (IP addresses must be changed from private to public addresses). And of course you cannot repair the TCP/UDP checksum because it is protected by ESP. So I take it the corporate VPN terminator must have TCP/UDP checksums turned off, is that true? > In ESP tunnel mode, the inside packet is not changed, so there is no problem > with the checksums. Only the outside header is manipulated. Am I just way off-base here? Does anybody know what is the real deal with these little routers doing "pass-thru"? Is it just more marketing bull? > They work fine as long as you have 1 inside PC using IPSec at a time with ESP > in tunnel mode. Fortunately for the vendors, this seems to be how most people > are using IPSec. > > HTH, > Kent Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=9545&t=9545 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
