Re: IPSec NAT pass-through: how the server side distinguish different client?

["Srinivasa Rao Addepalli" <srao@intotoinc.com>]

You need to create different SPD policies on the VPN server for
each client behind your NAT (having IPSEC NAT passthrough). These SPD
policies on the VPN server should have client IP addresses (private IP addresses)
as destination IP address selector. Remote security gateway IP address
on these SPD policies needs to be public IP address on the NAT box. 

Srini

Intoto Inc. 
Enabling Security Infrastructure
3160, De La Cruz Blvd #100
Santa Clara, CA 95054
www.intotoinc.com
----- Original Message ----- 
From: "Feng Ye" <f_ye@yahoo.com>
To: <ipsec@lists.tislabs.com>
Sent: Tuesday, September 03, 2002 9:05 PM
Subject: IPSec NAT pass-through: how the server side distinguish different client?


> Hello,
> 
> I have implemented IPSec NAT pass through in the
> access box by looking at cookie/SPI values. I can
> sucessfully do the 1 to 1 and 1 to many cases, but
> can't do the many to 1 case, because I don't know how
> to configure the public side VPN server. 
> That server don't know how to distinguish different
> clients behind the NAT, because they all have the same
> tunnel endpoint IP address (the NAT public address),
> and they all use ESP, and the same
> encrypt/authenticate algorithm. So to the server, all
> of them belongs to the same SA. Captured packets in
> the server side shows that even different clients use
> different SPI to talk to the server, the server
> responses with the same SPI, thus caused the problem.
> I tested with cisco 2600 and win2000 as the VPN
> server, all has the same problem.
> Is anybody there can give me a clue? Thanks a lot!
> 
> feng
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Finance - Get real-time stock quotes
> http://finance.yahoo.com
>