NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] IPsec through Hide NAT



"Moon, Curtis" wrote:
>
> Does FW1 FP2 or FP3 support IPSec pass through.  We have 5 workstations that
> need to load a VPN client (IPSec compliant) which are be hide our firewall.
> The VPN clients will have to connect through our firewall to a publicly
> accessible VPN.  I believe this is referred to as NAT-traversal.  How would I
>
> setup the rules to support IPSec pass through?  Would I need to make any
> global
> changes? FW1 on a Win2k box. Thank you for your help.

The reason NAT products do not offer this is that there is no way to do
it in all situations. This is the example that breaks everything:

You have two VPN end-points[0] behind your NAT device, say 10.10.10.10
and 10.10.10.20. The NAT device, in Checkpoint-speak, is "hiding" them
behind 172.18.30.40. They both want to establish ESP tunnels to the same
remote end-point, 192.0.2.2. If we use IKE (500/udp) to establish the
SA for both, that can all be NATed through various tricks, and we
presume that any authentication methods we choose can deal with the
fact that 192.0.2.2 doesn't see the "real" IP address for the other
end-points. So far, so good...

But then the ESP packets start flying, and that's the problem. Say
an ESP packet from 192.0.2.2 bound for 172.18.30.40 arrives at our
NAT device. Which one of our two VPN end-points does this packet
go to? THERE IS NO WAY TO KNOW. What's that you say? Use the SPI field
in the ESP packet? The SPI was passed _encrypted_ in the IKE negotiations,
so we don't know which SPIs correspond to which pair of end-points by
watching the IKE chatter. Huh? We can see the SPI on the outgoing ESP
packets? Sure we can, but it doesn't do us any good (even if we assume
the ends behind the NAT device always talk first). The SPIs for incoming
and outgoing are different and not related. THERE IS NO WAY TO KNOW.

You can pull of one-to-one or even many-to-many through NAT since any
ESP from a given external IP address gets sent to an individual internal
IP, but many-to-one, the above example, breaks everything. If you can't
support IPsec through NAT for the general case, might as well not try
to pretend you can and have to explain this everytime it breaks when
someone does many-to-one.

[0] IPsec is a peer-to-peer protocol. There are no clients and servers.
--
Crist J. Clark                               [email protected]
Globalstar CommunicationsThe information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited.  If you have
received this e-mail in error, please contact [email protected]

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.