[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] FW: [FW-1] IKE over TCP and UDP encapsulation
Hi, yes, you're right; NAT devices also keep states for UDP. But: NAT changes *somtimes* the outgoing i.e. source port. For dns the source port doesn't matter at all, but for IKE source and destination are defaulted to 500. IP address and port usually identify a device. But the IP address never changes due to NAT, and the port depends of the NAT implementation. -Might change after every packet -Might be always 500 if possible In any case it's hard or impossible to distinguish different nodes behind a NAT device. I think you cannot guarrantee that a given IKE implementation would work with all kind of NAT devices. Therefore vendors add their own features, trying to somehow fix these issues. Regards, Patrick Ritesh Rekhi wrote: > > Hi , > Please see my response below.I think list is still not working. > > Regd's > Ritesh > > -----Original Message----- > From: Ritesh Rekhi [mailto:[email protected]] > Sent: Friday, March 08, 2002 11:53 AM > To: '[email protected]' > Subject: RE: [FW-1] IKE over TCP and UDP encapsulation > > Hi Patrick, > Even if udp is connectionless i think nat can work on it > the same way it works on tcp.While send packet out just change the source-ip > and source-port .I think DNS is a good example which uses UDP and still can > be natted while making query . > > I think for UDP nat devices also keep a session entry otherwise how can DNS > work. > > Regd's > Ritesh > > -----Original Message----- > From: Patrick Lotti [mailto:[email protected]] > Sent: Friday, March 08, 2002 12:29 AM > To: Mailing list for discussion of Firewall-1 > Subject: Re: [FW-1] IKE over TCP and UDP encapsulation > > Hi, > > UDP is connectionless. > NAT devices just don't accept any incoming packets. > > A NAT device usually changes also the port, not only the ip address. > With TCP packets the NAT device "remembers" the original ip+port and > the port used for the outgoing packet, as TCP requires SYN, SYN-ACK > and ACK to initiate a connection. > > UDP is connectionless and the NAT device doesn't remember anything. > It just doesn't know what it could do with an incoming UDP packet. > > NAT devices just don't accept any incoming packets, Neither TCP SYN > nor UDP. > > Patrick > > Ritesh Rekhi wrote: > > > > Hi All, > > Checkpoint recommends that we should use IKE over tcp > and > > udp encapsulation in secureremote client setup for initiating VPN > > connections from behind any NAT device like cable USers and any users > which > > comes through a nat device.JUSt wanted to know why it is necessary to do > > that. > > > > What difference does it make if the connection is initiated using udp port > > 500. > > > > Regd's > > Ritesh > > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|