[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSec NAT pass-through: how the server side distinguish different client?

To: ipsec@lists.tislabs.com
Subject: IPSec NAT pass-through: how the server side distinguish different client?
From: Feng Ye <f_ye@yahoo.com>
Date: Tue, 3 Sep 2002 21:05:10 -0700 (PDT)
In-Reply-To: <000001c24743$bd9d2a90$0402a8c0@trlhpc1>
Sender: owner-ipsec@lists.tislabs.com

Hello,

I have implemented IPSec NAT pass through in the
access box by looking at cookie/SPI values. I can
sucessfully do the 1 to 1 and 1 to many cases, but
can't do the many to 1 case, because I don't know how
to configure the public side VPN server. 
That server don't know how to distinguish different
clients behind the NAT, because they all have the same
tunnel endpoint IP address (the NAT public address),
and they all use ESP, and the same
encrypt/authenticate algorithm. So to the server, all
of them belongs to the same SA. Captured packets in
the server side shows that even different clients use
different SPI to talk to the server, the server
responses with the same SPI, thus caused the problem.
I tested with cisco 2600 and win2000 as the VPN
server, all has the same problem.
Is anybody there can give me a clue? Thanks a lot!

feng


__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

Follow-Ups:
- Re: IPSec NAT pass-through: how the server side distinguish different client?
  - From: "Srinivasa Rao Addepalli" <srao@intotoinc.com>

Prev by Date: Re: suites - phase 1 vs 2
Next by Date: Question about KE payload
Prev by thread: RE: Last ditch proposal for crypto suites
Next by thread: Re: IPSec NAT pass-through: how the server side distinguish different client?
Index(es):
- Date
- Thread