| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] Cisco VPN client through NAT CheckPoint FW
- To: <[email protected]>
- Subject: RE: [FW1] Cisco VPN client through NAT CheckPoint FW
- From: "e-mail lists" <[email protected]>
- Date: Sun, 20 May 2001 11:19:48 +1000
- Sender: [email protected]
- Thread-index: AcDgAYDOaac83ALUR06DKSfVW7Cc+gAx3ESw
- Thread-topic: [FW1] Cisco VPN client through NAT CheckPoint FW
Hi,
| IPSEC uses a hash which, in part, is generated from the
| original IP address of the packet. When the address is
changed,
| the hash doesn't compute properly on the other end. This is
not
| a Check Point issue, this is a universal problem with NAT and
| IPSEC. I've seen it with many different products and it always
| works out the same. IPSEC is doing what it's supposed to.
| NAT breaks it. Customer gets upset. ;>
Not entirely true. AH (authentication header) encapsulation uses
a hash of the headers for the datagram it encpasulates, thus NAT
cannot be performed on AH packets (protocol 51). AH also usually
does not encrypt the actual payload - although some vendors I
have heard do. ESP (encapsulation security payload - protocol 50)
only encrypts the payload (including the headers of the
encapsulated datagram). The source and destination addresses of
the ESP packets are not used in any way, excepting the usually IP
checksums.
Normally, VPNS would use ESP and not AH. AH was designed as a
means of ensuring the packet has not been modified in transit,
not to hide its contents.
Darren Mackay
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
