Re: VPN through NAT?
- From: Brian Candler <B.Candler@xxxxxxxxx>
- Date: Mon, 14 Aug 2006 21:14:02 +0100
On Mon, Aug 14, 2006 at 12:19:30PM -0600, Jeff Norris wrote:
Brian,
IPSEC NAT traversal uses UDP 4500? Who implementation? Cisco, Nortel,
BSD?
Everybody, because it's the standard. See RFC 3947 and 3948
"Take the common case of the initiator behind the NAT. The initiator
must quickly change to port 4500 once the NAT has been detected to
minimize the window of IPsec-aware NAT problems.
In Main Mode, the initiator MUST change ports when sending the ID
payload if there is NAT between the hosts. The initiator MUST set
both UDP source and destination ports to 4500. All subsequent
packets sent to this peer (including informational notifications)
MUST be sent on port 4500."
I belive 4500 is Cisco's way of doing it, but not all IPSEC vpn
clients are the same. I use one that uses UDP port 10000 for nat
traversal.
There are many proprietary VPN solutions out there, of course, so it sounds
like you have one of these.
I've tested many standard solutions (Microsoft's IPSEC stack, FreeBSD with
ipsec-tools, Linux with ipsec-tools, Cisco IOS, Cisco PIX, Juniper
Netscreen, Juniper ERX, and some smaller vendors). All implement NAT-T
according to the standard. They mostly even interoperate :-)
Regards,
Brian.
_______________________________________________
freebsd-isp@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@xxxxxxxxxxx"
- References:
- Re: VPN through NAT?
- From: Jeff Norris
- Re: VPN through NAT?
- Prev by Date: Re: VPN through NAT?
- Next by Date: Re: VPN through NAT?
- Previous by thread: Re: VPN through NAT?
- Next by thread: modem pool
- Index(es):
Relevant Pages
|
