[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Cisco VPN client through NAT CheckPoint FW
Hi, The Cisco VPN Concentrator Client can use standard IPSEC or IPSEC over UDP and works in NAT environments. The PIX VPN client doesn't work with NAT. This is a proprietary solution to resolve the issues that Altiga developed and is now a Cisco solution to this issue. Note the VPN Concentrator Client will not do this to PIX firewalls, only concentrators. Inti. -----Original Message----- From: e-mail lists [mailto:[email protected]] Sent: 20 May 2001 02:20 To: [email protected] Subject: RE: [FW1] Cisco VPN client through NAT CheckPoint FW Hi, | IPSEC uses a hash which, in part, is generated from the | original IP address of the packet. When the address is changed, | the hash doesn't compute properly on the other end. This is not | a Check Point issue, this is a universal problem with NAT and | IPSEC. I've seen it with many different products and it always | works out the same. IPSEC is doing what it's supposed to. | NAT breaks it. Customer gets upset. ;> Not entirely true. AH (authentication header) encapsulation uses a hash of the headers for the datagram it encpasulates, thus NAT cannot be performed on AH packets (protocol 51). AH also usually does not encrypt the actual payload - although some vendors I have heard do. ESP (encapsulation security payload - protocol 50) only encrypts the payload (including the headers of the encapsulated datagram). The source and destination addresses of the ESP packets are not used in any way, excepting the usually IP checksums. Normally, VPNS would use ESP and not AH. AH was designed as a means of ensuring the packet has not been modified in transit, not to hide its contents. Darren Mackay ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|