[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IP tunnel over a NAT (IP masq) possible ?

To: Otel Florian-Daniel <otel@ce.chalmers.se>
Subject: Re: IP tunnel over a NAT (IP masq) possible ?
From: Steven Brown <sbrown@cw.net>
Date: Fri, 16 Jul 1999 18:03:06 -0400 (EDT)
cc: linux-ipsec@clinet.fi, ipsec@lists.tislabs.com, firewall-wizards@nfr.net
In-Reply-To: <14223.33362.904306.427278@blomman18.ce.chalmers.se>
Sender: owner-ipsec@lists.tislabs.com

Hi Otel,

  Can't tell you about all products, but many will not
 work with (many to one NAT), they have problems 
 after the IP headers are changed. Usually the key
 excahnge works, then the device (whatever it is)
 will not pass the following packets.

 (If anyone knows different, please add your comments,
  I'm working on that right now), and in the mix is an
 assorement of NAT, Proxy and hardware devices.

  I know checkPoint Secure Remote will not work, and
 I've heard many incompatibility stories using AOL
 as transport, since they write a modified TCP/IP
 stack.

 Someone made a mention though, if you use a public
 routable IP adress space, and have the NAT proxy
 doing IP forwarding, and using encryption, not
 encapsulation, that may work.

Sincerely
Steve

On Fri, 16 Jul 1999, Otel Florian-Daniel wrote:

> 
> Hello everybody,
> 
> 
> I have the following problem: I have a machine behind a NAT performing 
> one-to-many address translation (inside: Net 10. outside: only one IP
> addr). What i would like to do is to set a IP tunnel from one of the
> inside machines (the "client") to a remote machine (i.e. beyond NAT)
> (the "server"). Such that after the tunnel setup the inside machine
> appears to be virtually attached to the remote net.
> 
> Requirements:
> -As it is implied, I don't have administrative control over the NAT
> (otherwise e.g. i could simply attach the client beyond it and use
> `oridnary` IP tunneling)
> -The tunnel is encrypted  (overhead issues irrelevant for the time being)
> -The tunnel is set on-demand, in a client-server fashion (e.g. tunneling 
> over a TCP connection).
> -The operating system: Linux
> 
> 
> Any ideas and suggestions are welcomed.
> 
> Many thanks,
> 
> Florian
> 
> P.S: Maybe this were not the most appropriate forums were to ask. If
> that is the case, appologies in advance. Any hint in this respect will
> be appreciated. 
> 

Steven A. Brown, MBA., CCSA, CCSE,
VPN/Firewall & Internet Security Engineer
Cable&Wireless, 6400 Weston Pkwy, 3rd. FL
Research Triangle Park, NC, 27513  
Author:Implementing Virtual Private Networks, McGraw-Hill
CoAuthor:CheckPoint Firewall-1, McGraw-Hill
sbrown@cw.net, Steven.Brown@cwusa.com

References:

IP tunnel over a NAT (IP masq) possible ?

From: Otel Florian-Daniel <otel@ce.chalmers.se>

Prev by Date: RE: IP tunnel over a NAT (IP masq) possible ?
Next by Date: RE: IP tunnel over a NAT (IP masq) possible ?
Prev by thread: Re: linux-ipsec: IP tunnel over a NAT (IP masq) possible ?
Next by thread: Re: linux-ipsec: IP tunnel over a NAT (IP masq) possible ?
Index(es):
- Main
- Thread