NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] FW: [FW-1] IKE over TCP and UDP encapsulation



Hi,

yes, you're right; NAT devices also keep states for UDP.


But: NAT changes *somtimes* the outgoing i.e. source port.
For dns the source port doesn't matter at all, but for
IKE source and destination are defaulted to 500.
IP address and port usually identify a device. But the IP
address never changes due to NAT, and the port depends of
the NAT implementation.
-Might change after every packet
-Might be always 500 if possible
In any case it's hard or impossible to distinguish different
nodes behind a NAT device.

I think you cannot guarrantee that a given IKE implementation
would work with all kind of NAT devices. Therefore vendors add
their own features, trying to somehow fix these issues.

Regards,
Patrick
Ritesh Rekhi wrote:
>
> Hi ,
>            Please see my response below.I think list is still not working.
>
> Regd's
> Ritesh
>
> -----Original Message-----
> From: Ritesh Rekhi [mailto:[email protected]]
> Sent: Friday, March 08, 2002 11:53 AM
> To: '[email protected]'
> Subject: RE: [FW-1] IKE over TCP and UDP encapsulation
>
> Hi Patrick,
>                   Even if udp is connectionless i think nat can work on it
> the same way it works on tcp.While send packet out just change the source-ip
> and source-port .I think DNS is a good example which uses UDP and still can
> be natted while making query .
>
> I think for UDP nat devices also keep a session entry otherwise how can DNS
> work.
>
> Regd's
> Ritesh
>
> -----Original Message-----
> From: Patrick Lotti [mailto:[email protected]]
> Sent: Friday, March 08, 2002 12:29 AM
> To: Mailing list for discussion of Firewall-1
> Subject: Re: [FW-1] IKE over TCP and UDP encapsulation
>
> Hi,
>
> UDP is connectionless.
> NAT devices just don't accept any incoming packets.
>
> A NAT device usually changes also the port, not only the ip address.
> With TCP packets the NAT device "remembers" the original ip+port and
> the port used for the outgoing packet, as TCP requires SYN, SYN-ACK
> and ACK to initiate a connection.
>
> UDP is connectionless and the NAT device doesn't remember anything.
> It just doesn't know what it could do with an incoming UDP packet.
>
> NAT devices just don't accept any incoming packets, Neither TCP SYN
> nor UDP.
>
> Patrick
>
> Ritesh Rekhi wrote:
> >
> > Hi All,
> >                   Checkpoint recommends that we should use IKE over tcp
> and
> > udp encapsulation in secureremote client setup  for initiating VPN
> > connections from behind any NAT device like cable USers and any users
> which
> > comes through a nat device.JUSt wanted to know why it is necessary to do
> > that.
> >
> > What difference does it make if the connection is initiated using udp port
> > 500.
> >
> > Regd's
> > Ritesh
> >

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.