[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] IPsec through Hide NAT
"Moon, Curtis" wrote: > > Does FW1 FP2 or FP3 support IPSec pass through. We have 5 workstations that > need to load a VPN client (IPSec compliant) which are be hide our firewall. > The VPN clients will have to connect through our firewall to a publicly > accessible VPN. I believe this is referred to as NAT-traversal. How would I > > setup the rules to support IPSec pass through? Would I need to make any > global > changes? FW1 on a Win2k box. Thank you for your help. The reason NAT products do not offer this is that there is no way to do it in all situations. This is the example that breaks everything: You have two VPN end-points[0] behind your NAT device, say 10.10.10.10 and 10.10.10.20. The NAT device, in Checkpoint-speak, is "hiding" them behind 172.18.30.40. They both want to establish ESP tunnels to the same remote end-point, 192.0.2.2. If we use IKE (500/udp) to establish the SA for both, that can all be NATed through various tricks, and we presume that any authentication methods we choose can deal with the fact that 192.0.2.2 doesn't see the "real" IP address for the other end-points. So far, so good... But then the ESP packets start flying, and that's the problem. Say an ESP packet from 192.0.2.2 bound for 172.18.30.40 arrives at our NAT device. Which one of our two VPN end-points does this packet go to? THERE IS NO WAY TO KNOW. What's that you say? Use the SPI field in the ESP packet? The SPI was passed _encrypted_ in the IKE negotiations, so we don't know which SPIs correspond to which pair of end-points by watching the IKE chatter. Huh? We can see the SPI on the outgoing ESP packets? Sure we can, but it doesn't do us any good (even if we assume the ends behind the NAT device always talk first). The SPIs for incoming and outgoing are different and not related. THERE IS NO WAY TO KNOW. You can pull of one-to-one or even many-to-many through NAT since any ESP from a given external IP address gets sent to an individual internal IP, but many-to-one, the above example, breaks everything. If you can't support IPsec through NAT for the general case, might as well not try to pretend you can and have to explain this everytime it breaks when someone does many-to-one. [0] IPsec is a peer-to-peer protocol. There are no clients and servers. -- Crist J. Clark [email protected] Globalstar CommunicationsThe information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [email protected] ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|