Re: Problem with Cisco VPN concentrator

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

>>>>> "Bikramjit" == Bikramjit Singh <BSingh@Nomadix.com> writes:
    Bikramjit> We have developed kind of
    Bikramjit> a VPN masquerade feature for our USG (Universal Subscriber
    Bikramjit> Gateway) product to let ISAKMP and ESP connections passthrough

  Noble. Please consider making your box do IPv6 with 6to4 addresses (or
preconfigured ones) as well. 

    Bikramjit> Since we are doing PAT ( port address translation) multiple
    Bikramjit> subscribers trying to connect to the same Cisco VPN
    Bikramjit> concentrator are unable to do that since Cisco can see only
    Bikramjit> the our USG's IP address and the same port number for ISAKMP
    Bikramjit> (UDP/500) traffic from multiple subscribers. This way Cisco

  This isn't surprising. The box has no way to know that you are in fact
multiple people behind the gateway.

    Bikramjit> keeps the most recent connection only and the earlier clients
    Bikramjit> connection gets dropped. Other devices (e.g Nortel Contivity)
    Bikramjit> do not show such behaviour and can keep simultaneous sessions
    Bikramjit> even though coming apparently ( USG's IP address) from the
    Bikramjit> same client ( i guess by differentiating them on the basis of
    Bikramjit> the ISAKMP initiator cookies).

  That's certainly a common way do things, but it isn't required.

  The other thing that some code does is to send everything from port 500, 
and demux on incoming based upon the ISAKMP cookies.  That way you
interoperate with devices that insist on using port 500 for origination.
 
    Bikramjit> Cisco accepts the issue with PAT in its release notes and says
    Bikramjit> that it will accept multiple connection from the same client
    Bikramjit> (apparently - although in our case they are multiple clients
    Bikramjit> being PATed on the same IP address and same port) only if they
    Bikramjit> have different source port numbers.

  Okay, that's the opposite situation than I'd expect :-)
 
    Bikramjit> Now the question. We want to support both Cisco and non-Cisco
    Bikramjit> connection going through are box without the user seeing any
    Bikramjit> disconnections. Cisco will work with normal PAT ( src ip/src
    Bikramjit> port <---> USG IP/ assigned src port) But others ( e.g Nortel)
    Bikramjit> don't, which require both destination and source port to be
    Bikramjit> 500. Is there a way to "probe" the Cisco concentrator that
    Bikramjit> will till us that it is a "Cisco" and so we should do normal
    Bikramjit> PAT otherwise we should do our normal ISAKMP handling (
    Bikramjit> keeping track of cookies)?

  At a minimum, I guess you need to offer a way a way to configure PAT or not
on a per-destination basis. 

  You might be able to probe by doing a minimal IKE exchange and looking for
vendor ID strings, but this would be bad.

  Offer IPv6 as well and you can help this problem go away in the future.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

---

References:

• Problem with Cisco VPN concentrator
• From: Bikramjit Singh <BSingh@Nomadix.com>

---

• Prev by Date: RE: SOI: identity protection and DOS
• Next by Date: RE: Problem with Cisco VPN concentrator
• Prev by thread: Problem with Cisco VPN concentrator
• Next by thread: Re: Problem with Cisco VPN concentrator
• Index(es):
  • Main
  • Thread