Re: SKIP and NAT

[David Aylesworth <davea@bellsouth.net>]

Thanks for all the helpful replies (basically telling me this can't
work!).  I think though, that this isn't a very unusual situation.
Here's the details:

The SKIP gateway is a firewall (with a private IP address) that goes
through an Ascend ISDN router to connect to an ISP which assigns an IP
address dynamically.  In this configuration, the Ascend box translates
all outgoing packets to the dynamic IP address and translates incoming
packets to the last internal address that it saw (always the firewall's
in this case).

When I first tried to configure SKIP on the firewall to encrypt traffic
to another SKIP host (running Elvis+), the remote SKIP complained of
authentication failures when pinged (no surprise).  I turned off the
authentication headers, then the remote SKIP accepted the ICMP echo
request from the translated address, but tried to send the echo reply to
the original address unencrypted (no surprise here either).  So I
configured the remote SKIP to use the dynamic address as a tunnel
address for packets destined to the firewall's fixed private address.
Now the echo replies are encrypted, sent to the dynamic Ascend address,
translated by the Ascend to the firewall's address, and sent to the
firewall.  The firewall receives them and SKIP seems to decode the
packets, but the packet filter sitting above SKIP on the firewall
complains that the packets have a protocol field of 0!

I wonder if this is a "feature" of IPSEC, or a "bug" in Sun SKIP.  It
was suggested that the SKIP implementation may intentionally rewrite IP
headers with protocol 0 as a way to ensure that a "bad" packet gets
discarded.  I will have to research this further.

Thanks,
Dave

David Aylesworth
Technologic, Inc.
dave@tlogic.com

---

• Prev by Date: Re: IPSEC and NAT
• Next by Date: Re: IPSEC and NAT
• Prev by thread: comments on ISAKMP-07/08 diagrams
• Next by thread: Re: SKIP and NAT
• Index(es):
  • Main
  • Thread