Since I didn't really see any question in this posting other perhaps the subject line, it's a bit difficult to answer.
If you're wondering why you can't have multiple VPN clients connect (to the exact same IP address from behind a GTA firewall), well that is a very easy one to answer. There are two parts to a IPSec VPN connection: 1) IKE key exchange which communicates on UDP 500 (destination port) with the source port floating however some implementations require the source to be UDP 500 also (but not in the specifications). Part 2) is the encapsulated tunnel using the ESP (IP protocol 50). The ESP protocol has no ports specifications (unlike TCP and UDP). Therefore to make a unique connection between two systems all you have are the source IP and the destination IP. So if your client is behind a NAT firewall the source IP address will be that of the firewall. If you have two clients behind the firewall attempting to connect to the same destination IP address there will be a conflict as the two sessions will appear to be identical (same source and same destination). This is not unique to GTA's firewall it is a fact of the IPSec standard. Then the issue arises, "If you have multiple clients requiring connections to the same destination why not simply let the firewall do the work and establish a VPN between the firewall and the target?" As for NAT-T, it may be an answer as it encapsulates the session in a single UDP tunnel. I'm not familiar enough with NAT-T but it most likely would allow mulitple source ports hence solving your problem. However if the VPN client supports NAT-T and your target supports NAT-T this should work today as the GTA firewall would have not impact on the connection. If the target is a GTA firewall then it is a different issue (for the moment). The next GB-OS release 3.7, will support NAT-T. Paul Emerson On Wednesday, March 23, 2005 at 07:50, Clive Walker wrote: >Hi > > > >I am trying to understand whether there are any other solutions apart >from what was discussed in November 2003 by Paul Emerson (Nortel >Contivity VPN clients behind Gnatbox), which I assume would apply. > > > >At present I haven't established any details about the firewall in >question, but I know that only one GB VPN client works concurrently >(connecting to our GB-Ware v 3.6.1) > > > >Is NAT-T the answer or is it still not available? > > > >Thanks > > > >Clive Walker > > > > >Employer Services Ltd. >This e-mail and any attachments are confidential and may well also be legally >privileged. If you have received it in error, you are on notice of its status. > >Please notify us immediately by reply e-mail and then delete this message from >your system. >Please do not copy it or use it for any purposes, or disclose its contents to >any other person: to do so could be a breach of confidence. > >Thank you for your co-operation. Please contact us on +44 (0)1277 230656 or >email [EMAIL PROTECTED] if you need assistance. > >------------------------------------------------------ >To unsubscribe: [EMAIL PROTECTED] >For additional commands: [EMAIL PROTECTED] >Archive: http://archives.gnatbox.com/gb-users/ > > -- Paul Emerson Global Technology Associates, Inc. Tel: +1.407.380.0220 http://www.gta.com/ Fax: +1.407.380.6080 Email: [EMAIL PROTECTED] Mob: +1.407.617.7818 AIM: pje1gta ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
