Re: VPN through NAT?

From: "Jeff Norris" <jeff@xxxxxxxxxxxxxxx>
Date: Mon, 14 Aug 2006 12:19:30 -0600

Brian,

IPSEC NAT traversal uses UDP 4500? Who implementation? Cisco, Nortel, BSD? I belive 4500 is Cisco's way of doing it, but not all IPSEC vpn clients are the same. I use one that uses UDP port 10000 for nat traversal.

Cheers

---------- Original Message ----------------------------------
From: Brian Candler <B.Candler@xxxxxxxxx>
Date: Mon, 14 Aug 2006 13:30:17 +0100

On Sun, Aug 13, 2006 at 06:28:33PM -0600, Jeff at NorrisTechs wrote:

I assume you have TCP port 1723 forwarding from the internet/dmz to the
PPTP host?. That should be enough for most PPTP based VPN clients.

It's can be difficult with IPSEC as you have to forward UDP 500,
Protocol 50 and Protocol 51 to / from the VPN client from your NAT router.

If the *clients* are behind NAT, when running IPSEC there should be nothing
to do.

IPSEC uses UDP 500 (outbound) to start the key exchange, detects NAT, and
then switches to UDP 4500 for IPSEC NAT traversal. It also sends NAT
keepalive packets every 20 seconds by default.

So if you have a NAT-aware IPSEC client, it should work with any old NAT
firewall without any config changes on that firewall, as long as it allows
outbound connections. It was designed to work in hotels etc.

Microsoft's L2TP over IPSEC works just fine for this (with Win2K you need to
install a NAT traversal patch). I've no idea about PPTP though. I don't use
it, as it's generally considered insecure compared with IPSEC.

I believe some routers have a "PPTP passthrough" mode, which you could try
turning on (or off) to see if it fixes the problem.

Regards,

Brian.
_______________________________________________
freebsd-isp@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@xxxxxxxxxxx"

________________________________________________________________
Sent via the WebMail system at mail.norristechs.net

_______________________________________________
freebsd-isp@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re: VPN through NAT?
  - From: Brian Candler
- Re: VPN through NAT?
  - From: Chuck Swiger

Prev by Date: modem pool
Next by Date: Re: VPN through NAT?
Previous by thread: Re: VPN through NAT?
Next by thread: Re: VPN through NAT?
Index(es):
- Date
- Thread

Relevant Pages

Re: =?iso-8859-15?Q?Verst=E4ndnisfrage?= IPSec; NAT; NAT-T
... IPSec Passthrough ... Der Trick bei NAT Traversal scheint ja zu sein, ... Port 500 UDP auf diesen, ... Der eigentliche IPSEC tunnel wird dann nach Standard ueber UDP Port ...
(de.comp.security.firewall)
Re: =?ISO-8859-1?Q?Verst=E4ndnisfrage_IPSec=3B_NAT=3B_NAT-?= =?ISO-8859-1?Q?T?=
... IPSec Passthrough ... Der Trick bei NAT Traversal scheint ja zu sein, ... komplette verschlüsselte Kommunikation in ein UDP Paket verpackt wird, ... Port 500 UDP auf diesen, ...
(de.comp.security.firewall)
Re: VPN through NAT?
... That should be enough for most PPTP based VPN clients. ... Protocol 50 and Protocol 51 to / from the VPN client from your NAT router. ... If the *clients* are behind NAT, when running IPSEC there should be nothing ...
(freebsd-isp)
Re: ISPs can easily decrease net abuse
... For example you can't do ipsec over NAT. ... This UDP encapsulation routine -automatically- detects whether ... "There are three kinds of lies: ...
(comp.security.misc)
Problem NAT & IPSEC
... >damit er die Pakete auf seiner externen Seite mit IPsec ... IPSEC durch NAT ist problematisch. ... welches Port 4500 und UDP verwendet um das ...
(microsoft.public.de.german.windows.server.networking)