[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Multiple Secure Remote One Public IP
Standard IPSec doesn't support NAT and will not work (without some kludges that is), but more and more vendors are adding in support for IPsec to travel over either UDP or TCP packets (some also support IKE over TCP too) so that they can get through NAT devices or networks that are filtering IPsec. I believe that CheckPoint SecureRemote does support IPSEC/UDP, so I'd say to enable that and give it a try first on one client, then try another client and see if it works there too. Does anybody out here have something like maybe a Linksys cable/DSL router with NAT and 2 (two) SecureRemote clients behind it using IPSEC/UDP? Technically this may not be 100% standard, but no VPN client that supports NAT or authentication other than shared-secret or digital certificates is compliant either, and that's every IPSEC remote access client that I know of. Must support compliancy, but they extend it to add their own features. Since the IPSEC standards do not support remote access authentication methods or NAT the way the "real world" does, this is a case in which non-standards is the only way to go until the IETF finalizes a new standard. Ron -----Original Message----- From: Russell Washington [mailto:[email protected]] Sent: Friday, February 08, 2002 4:30 PM To: [email protected] Subject: Re: [FW-1] Multiple Secure Remote One Public IP To my knowledge this kind of VPN topology is not possible, at least not with most IPSec VPN implementations. I'm no expert so everyone forgive me if I stuff my foot in my mouth, but let me parallel this with a common telecommuting scenario: Company X has a firewall doing NAT, protecting an internal Server X 192.168.2.1/24. They have an employee who needs to get in from home. Employee X has a DSL connection and one of those funky no-VPN NAT boxes, like a NetGear RT311 or a Linksys. His workstation has address 192.168.3.1/24. The goal is to slap an IPSec VPN client on the home workstation, and get it to talk through the home-NAT-box to the firewall, which in turn will patch him through to Server X. Without either something proprietary or the new and improved "IPSec NAT Traversal" I've heard pop up in the RFCs, this isn't going to work. The reason it won't work is that the packet rewrite done by the home-NAT-box (the Cisco router in your case) jiggles the outbound IPSec packet in a manner that IPSec interprets as someone altering the data. For IPSec, altered packet = dropped packet, so it gets smacked down by the firewall at the other side (the CheckPoint in your case). So nothing goes through. You can't even get through the tunnel negotiation if I recall correctly, much less put traffic through it. More concisely, in the words of the NetScreen engineer who explained this to me, "NAT breaks IPSec." :) Put more 192.168.3.x/24 clients behind the home-NAT-box and more 192.168.2.x/24 servers behind the Company X firewall, and the topology is essentially identical to what you describe. NAT still breaks the IPSec, and the only difference is that you have more machines to confuse you in the process. Again, I'm no expert, and I know next to squat about Secure Remote. I also don't know if FWZ is subject to this. But if you're talking about using Secure Remote as a standard-issue IPSec VPN client, the topology is a no-go. Feel free to tell me I don't know what I'm talking about. :) -----Original Message----- From: Gasaway, Troy [mailto:[email protected]] Sent: Friday, February 08, 2002 9:01 AM To: [email protected] Subject: [FW-1] Multiple Secure Remote One Public IP Okay, I have a client that is trying to setup several Secure Remote users behind one public IP Address. This IP is configured on a Cisco router running the Firewall Feature set. This one IP is hiding all of the internal machines using NAT. As stated above, now, in addition to this they want multiple machines to use this same IP address for several Secure Remote connections. I am almost positive this can not be done, but wanted to bounce it off of you fine individuals. Thanks, Troy ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|