Is this what I have hear referred to as "transparent NAT" ? Also thought that this type of UDP encapsulation only worked with ESP even still? Maybe thats a Checkpoint centric perspective though.
Cliff At 05:17 PM 3/22/2002 -0500, H. Morrow Long wrote: >You probably want to use a feature that the Cisco Universal VPN client >and Secure VPN server 30XX series support which will tunnel IPSEC over >UDP. You can select a UDP port (defaults to 10,000 I believe) to use >to tunnel the IPSEC over. See the Cisco VPN documentation. > >Encapsulating the IPSEC packets ( IP, AH, ESP and ULP payload ) within >a UDP 'wrapper' protects IPSEC from the harmful IP address rewriting >effects of NAT by isolating them from it... > >- H. Morrow Long > >Josh Welch wrote: > > > > > Hello All, > > > > > > We are currently having issues with Cisco's 3000 VPN Client > > > (ver. 2.5.2 B) > > > connecting via IKE to a PIX (6.1 (3)) from behind Checkpoint FW-1 4.1 Sp5 > > > doing hide NAT. > > > > I am not familiar with these products, but if I understand IKE, it implies > > using an IPSec VPN. If you are natting with an IPSec VPN, you will have > > problems. NAT rewrites the packet headers, IPSec checks headers to make > > sure that they have not been tampered with between the server and the > > client, you can see how this would create a conflict. Typically speaking, > > it is not recommended to use an IPSec VPN through a NAT gateway. > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
