I think that you're (almost) technically precisely correct.
Yes, AFAIK, IPSec ESP and PPTP etc use their own IP protocol (numbers 50 and
47 or something?). This means that they don't have port numbers and
therefore are hard to multiplex through NAT. You can, however, acheive
success in many cases.
1. If you have NAT set up such that it uses a 'complete' or 1:1 IP address
mapping, some things work fine. I have used PPTP this way. If you're doing
it on the cheap, there IS a Cisco way to do it using a single external IP
address and still have all your other stuff work. I won't ramble about it,
so email me OOB if you care.
However, IPSec will probably get all confused. Don't NAT anything after it's
been IPSec'ed.
2. For IPSec, everything works fine as long as you NAT tuff before you
tunnel it. This means that you can have two edge routers that encrypt data
that flows between them, even if both networks use private addressing.
You _can_ have a situation where remote users use an IPSec client, PROVIDED
that the endpoint of the IPSec TUNNEL (don't use transport) is in front of
the box that performs NAT. This may or may not be doable in a single box.
IMO, it should be pretty easy - the IPSec engine just needs to deal with the
packet before it hands it off to the NAT engine. Check with the technodude
relevant to your firewall / edge router.
I don't know what the current range of stuff does - I'm pretty sure that
Cisco (for example) applies NAT to stuff as it leaves the inside interface.
This means that by the time it gets to the outside interface, which is where
IPSec happens, everything should be fine.
So, I guess the answer to your question is:
No, I don't know of any VPN thing that uses TCP. IMO, that would be
inferior. If you can see the TCP ports then you're about 70% of the way to
having a partial plaintext attack.
I guess a more useful answer is:
You can use PPTP through NAT, provided that you can map whole IP addresses
1:1. Works fine for me.
You can use IPSec _with_ NAT, but IPSec cares more about where the endpoints
are when it's setting up SAs. Just make sure that no NAT happens to IPSec'ed
data.
Hope this helps ;)
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Frank Knobbe [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 07, 1999 11:50 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Looking for TCP based VPN
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Greetings,
>
> VPN's like ESP/AH (PGPNet, SecuRemote, or any other IPSec based VPN),
> PPTP or L2TP are based on their own IP protocols, which are portless.
> That prohibits the relaying of such packets through a device using
> NAT (with a single, hiding IP address) or proxy servers, since NAT'ed
> firewall and proxies rely on port numbers to reference the return
> packets.
>
> Is anyone aware of a TCP based VPN for Windows NT, that traverses
> proxies/NAT? If not, maybe it's time to write one...
>
> Regards,
> Frank
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.1
> Comment: PGP or S/MIME (X.509) encrypted email preferred
>
> iQA/AwUBN9UfAkRKym0LjhFcEQJBgACfdJ9oSvprxvdL9HmUbrr+ira3Ct8AoI65
> o2QAeLen17e76Gfyx0/TUCjd
> =eJaL
> -----END PGP SIGNATURE-----
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
