[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] IKE over TCP and UDP encapsulation
Hi Patrick, Even if udp is connectionless i think nat can work on it the same way it works on tcp.While send packet out just change the source-ip and source-port .I think DNS is a good example which uses UDP and still can be natted while making query . I think for UDP nat devices also keep a session entry otherwise how can DNS work. Regd's Ritesh -----Original Message----- From: Patrick Lotti [mailto:[email protected]] Sent: Friday, March 08, 2002 12:29 AM To: Mailing list for discussion of Firewall-1 Subject: Re: [FW-1] IKE over TCP and UDP encapsulation Hi, UDP is connectionless. NAT devices just don't accept any incoming packets. A NAT device usually changes also the port, not only the ip address. With TCP packets the NAT device "remembers" the original ip+port and the port used for the outgoing packet, as TCP requires SYN, SYN-ACK and ACK to initiate a connection. UDP is connectionless and the NAT device doesn't remember anything. It just doesn't know what it could do with an incoming UDP packet. NAT devices just don't accept any incoming packets, Neither TCP SYN nor UDP. Patrick Ritesh Rekhi wrote: > > Hi All, > Checkpoint recommends that we should use IKE over tcp and > udp encapsulation in secureremote client setup for initiating VPN > connections from behind any NAT device like cable USers and any users which > comes through a nat device.JUSt wanted to know why it is necessary to do > that. > > What difference does it make if the connection is initiated using udp port > 500. > > Regd's > Ritesh > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|