[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Cisco VPN client through NAT CheckPoint FW
Hi, | IPSEC uses a hash which, in part, is generated from the | original IP address of the packet. When the address is changed, | the hash doesn't compute properly on the other end. This is not | a Check Point issue, this is a universal problem with NAT and | IPSEC. I've seen it with many different products and it always | works out the same. IPSEC is doing what it's supposed to. | NAT breaks it. Customer gets upset. ;> Not entirely true. AH (authentication header) encapsulation uses a hash of the headers for the datagram it encpasulates, thus NAT cannot be performed on AH packets (protocol 51). AH also usually does not encrypt the actual payload - although some vendors I have heard do. ESP (encapsulation security payload - protocol 50) only encrypts the payload (including the headers of the encapsulated datagram). The source and destination addresses of the ESP packets are not used in any way, excepting the usually IP checksums. Normally, VPNS would use ESP and not AH. AH was designed as a means of ensuring the packet has not been modified in transit, not to hide its contents. Darren Mackay ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|