Frank Knobbe wrote:
>
>
> VPN's like ESP/AH (PGPNet, SecuRemote, or any other IPSec based VPN),
> PPTP or L2TP are based on their own IP protocols, which are portless.
> That prohibits the relaying of such packets through a device using
> NAT (with a single, hiding IP address) or proxy servers, since NAT'ed
> firewall and proxies rely on port numbers to reference the return
> packets.
>
It's always possible to statically translate addresses like so:
Net1--VPNBox1--FW1----Internet----FW2-VPNBox2--Net2
VPNBox1 is 192.168.11.2
FW1-int is 192.168.11.1
FW1-ext is 195.100.11.1
FW2-ext is 195.100.22.1
FW2-int is 192.168.22.1
VPNBox2 is 192.168.22.2
VPNBox1 sends IP packets with Sender=192.168.11.1 Dest=192.168.22.2
FW1 Translates 192.168.11.1->192.168.22.2 to 195.100.11.1->195.100.22.1
FW2 Translates 195.100.11.1->195.100.22.1 to 192.168.11.1->192.168.22.1
VPNBox2 receives a packet identical to the one the VPNBox1 sent
The reason why NAT won't work is usually that the transport IP Headers
are
often cryptographically checksummed to prohibit tampering. By
translating
stuff BACK to the way it was sent, this will allow the VPN to function.
Also, of course, Dynamic NAT won't work at all because there's no
information
to maintain state on, just a lot of seemingly random gibberish.
All these issues are however moot if you install the VPN in the firewall
itself, which is by far the easiest answer to all problems.
> Is anyone aware of a TCP based VPN for Windows NT, that traverses
> proxies/NAT? If not, maybe it's time to write one...
>
If you *really* want TCP based "VPN"s, you might want to take a look
at the SOCKS5 port redirector. Note however that I've only read
a couple of paragraphs on it and have no practical experience with it,
so no flames if it doesn't do what you want. :-)
Regards,
Mikael Olsson
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
