NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Multiple Secure Remote One Public IP



Standard IPSec doesn't support NAT and will not work (without some kludges
that is), but more and more vendors are adding in support for IPsec to
travel over either UDP or TCP packets (some also support IKE over TCP too)
so that they can get through NAT devices or networks that are filtering
IPsec.

I believe that CheckPoint SecureRemote does support IPSEC/UDP, so I'd say to
enable that and give it a try first on one client, then try another client
and see if it works there too. Does anybody out here have something like
maybe a Linksys cable/DSL router with NAT and 2 (two) SecureRemote clients
behind it using IPSEC/UDP?

Technically this may not be 100% standard, but no VPN client that supports
NAT or authentication other than shared-secret or digital certificates is
compliant either, and that's every IPSEC remote access client that I know
of. Must support compliancy, but they extend it to add their own features.
Since the IPSEC standards do not support  remote access authentication
methods or NAT the way the "real world" does, this is a case in which
non-standards is the only way to go until the IETF finalizes a new standard.


Ron


-----Original Message-----
From: Russell Washington [mailto:[email protected]]
Sent: Friday, February 08, 2002 4:30 PM
To: [email protected]
Subject: Re: [FW-1] Multiple Secure Remote One Public IP


To my knowledge this kind of VPN topology is not possible, at least not with
most IPSec VPN implementations.  I'm no expert so everyone forgive me if I
stuff my foot in my mouth, but let me parallel this with a common
telecommuting scenario:

Company X has a firewall doing NAT, protecting an internal Server X
192.168.2.1/24.  They have an employee who needs to get in from home.
Employee X has a DSL connection and one of those funky no-VPN NAT boxes,
like a NetGear RT311 or a Linksys.  His workstation has address
192.168.3.1/24.  The goal is to slap an IPSec VPN client on the home
workstation, and get it to talk through the home-NAT-box to the firewall,
which in turn will patch him through to Server X.

Without either something proprietary or the new and improved "IPSec NAT
Traversal" I've heard pop up in the RFCs, this isn't going to work.  The
reason it won't work is that the packet rewrite done by the home-NAT-box
(the Cisco router in your case) jiggles the outbound IPSec packet in a
manner that IPSec interprets as someone altering the data.  For IPSec,
altered packet = dropped packet, so it gets smacked down by the firewall at
the other side (the CheckPoint in your case).  So nothing goes through.  You
can't even get through the tunnel negotiation if I recall correctly, much
less put traffic through it.  More concisely, in the words of the NetScreen
engineer who explained this to me, "NAT breaks IPSec." :)

Put more 192.168.3.x/24 clients behind the home-NAT-box and more
192.168.2.x/24 servers behind the Company X firewall, and the topology is
essentially identical to what you describe.  NAT still breaks the IPSec, and
the only difference is that you have more machines to confuse you in the
process.

Again, I'm no expert, and I know next to squat about Secure Remote.  I also
don't know if FWZ is subject to this.  But if you're talking about using
Secure Remote as a standard-issue IPSec VPN client, the topology is a no-go.
Feel free to tell me I don't know what I'm talking about. :)

-----Original Message-----
From: Gasaway, Troy [mailto:[email protected]]
Sent: Friday, February 08, 2002 9:01 AM
To: [email protected]
Subject: [FW-1] Multiple Secure Remote One Public IP


Okay, I have a client that is trying to setup several Secure Remote
users behind one public IP Address.

This IP is configured on a Cisco router running the Firewall Feature
set. This one IP is hiding all of the internal machines using NAT. As
stated above, now, in addition to this they want multiple machines to
use this same IP address for several Secure Remote connections. I am
almost positive this can not be done, but wanted to bounce it off of you
fine individuals.

Thanks,
Troy

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.