This problem occurs because of the way IPSec operates. This is not just a problem with GTA's firewalls but others that perform NAT (if they even allow the client VPN connection) will have the same problem.
First you have to understand there are two things going on with the VPN connection: IKE + IPSec. IKE uses UDP 500 for the key exchange. So VPN implementations are broken (IMHO) in that they require IKE to use UDP 500 for the source port as well (no reason for this and not in the spec). GTA's IKE handling code originally allowed the source port to float but this broke some broken implementations. So we went to fixing the source port to UDP 500, but this made it difficult for some others. So now we have a modified IKE handling process: if UDP 500 source port is available use it, if not pick another source port. This is the best compromise. The other part of the issue is IPSec which has no ports as it uses IP protocol ESP (50 for tunnel encapsulation). There are no ports. So the only thing to differentiate the connection is the source and destination addresses. Since the source is on the firewall you only have the destination address. So if multiple people (behind the firewall in NAT mode) are trying to go to the same place it will fail. Your problem could be the IKE issue but I doubt it. I think it is more likely to be the ESP issue. As Maarten mentioned you could use static mapping and assign aliases to the external NIC to beat this problem. The other solution Maarten alluded to is NAT-T which is a UDP encapsulation of the entire IPSec packet. GTA's firewalls current do not support this feature. We would like to however there are a few patent infringment issue being tossed about with regard to NAT-T. The IETF was in the process of making NAT-T a standard but these patent infringment issues have stop things for the time being. Some vendors that have support for NAT-T most likely are violating the patents. On Monday, November 3, 2003 at 08:54, Dan Swartzendruber wrote: >At 02:49 PM 11/3/2003 +0100, Maarten Vink / Interstroom wrote: >>Matt Repko wrote: >> >>>I am having some difficulties with multiple Nortel VPN clients behind a >>>Gnatbox GB-1000 unit. I've scoured Gnatbox's knowledgebase and various other >>>resources and have not found any solid information. Hopefully someone on the >>>list has run into this problem or has some good suggestions. >>>Looking through Nortel's documentation yielded a known issue with NAT >>>traversal connection failure which essentially explains that multiple VPN >>>connections behind a NAT firewall will lead to unreliable connection with the >>>Nortel Contivity client. >>>Has anyone had problems like this? Has anyone come up with a solution or at >>>least a workaround. I am open to suggestions. >> >>If using multiple IP's on the Nortel box is impossible, you could try >>doing the same thing on your end. Assign multiple IP's to your GB-1000 and >>use static address mappings to have each VPN session appear to originate >>from a different IP. >> >>FYI, the GNAT Box VPN client has the same issue with NAT; I've heard >>rumours that Cisco has a client that will work around this problem but I >>haven't used it myself. > >I guess I'm puzzled by this. We were using Checkpoint SecureRemote at my >day job and switched to Nortel recently. >I've never noticed the described behavior because when I telecommute, I'm >the only one doing so from my house. Anyway, >one of the things I liked about Nortel was that it could be set up to use >UDP encapsulation, instead of ESP, which has the >standard problem of "where do return packets go, since there's no port >number to go by?" The described problem sounds like >ESP is being used, not UDP. If not, I'm at a loss to understand how this >would ever happen, since steering inbound packets >based on the port number is fundamental to allowing multiple clients using >TCP or UDP behind a NAT gateway. > >------------------------------------------------------ >To unsubscribe: [EMAIL PROTECTED] >For additional commands: [EMAIL PROTECTED] >Archive: http://archives.gnatbox.com/gb-users/ > > -- Paul Emerson Global Technology Associates, Inc. Tel: +1.407.380.0220 http://www.gta.com/ Fax: +1.407.380.6080 Email: [EMAIL PROTECTED] Mob: +1.407.617.7818 AIM: pje1gta ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
