[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SKIP and NAT

To: dave@tlogic.com
Subject: Re: SKIP and NAT
From: Wei Xu <wei@tis.com>
Date: Wed, 20 Aug 1997 10:45:11 -0400
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

At 10:54 PM 8/19/97 -0400, David Aylesworth wrote:
>Thanks for all the helpful replies (basically telling me this can't
>work!).  I think though, that this isn't a very unusual situation.
>Here's the details:
>
>The SKIP gateway is a firewall (with a private IP address) that goes
>through an Ascend ISDN router to connect to an ISP which assigns an IP
>address dynamically.  In this configuration, the Ascend box translates
>all outgoing packets to the dynamic IP address and translates incoming
>packets to the last internal address that it saw (always the firewall's
>in this case).
>
>When I first tried to configure SKIP on the firewall to encrypt traffic
>to another SKIP host (running Elvis+), the remote SKIP complained of
>authentication failures when pinged (no surprise).  I turned off the
>authentication headers, then the remote SKIP accepted the ICMP echo
>request from the translated address, but tried to send the echo reply to
>the original address unencrypted (no surprise here either).  So I
>configured the remote SKIP to use the dynamic address as a tunnel
>address for packets destined to the firewall's fixed private address.
>Now the echo replies are encrypted, sent to the dynamic Ascend address,
>translated by the Ascend to the firewall's address, and sent to the
>firewall.  The firewall receives them and SKIP seems to decode the
>packets, but the packet filter sitting above SKIP on the firewall
>complains that the packets have a protocol field of 0!
>
>I wonder if this is a "feature" of IPSEC, or a "bug" in Sun SKIP.  It
>was suggested that the SKIP implementation may intentionally rewrite IP
>headers with protocol 0 as a way to ensure that a "bad" packet gets
>discarded.  I will have to research this further.

Looks to me. SKIP don't understand IP protocol 50 and 51 which is IPSec
specific. During the translation SKIP puts protocol 0 to indicate
un-recorganized IP packets.


Wei

Trusted Information Systems, Inc.

>
>Thanks,
>Dave
>
>David Aylesworth
>Technologic, Inc.
>dave@tlogic.com
>
>
>
>
>
>

Follow-Ups:

Re: SKIP and NAT

From: Ran Atkinson <rja@inet.org>

Prev by Date: Re: IPSEC and NAT
Next by Date: IPsec VPN and NAT
Prev by thread: Re: SKIP and NAT
Next by thread: Re: SKIP and NAT
Index(es):
- Main
- Thread