[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSec Passthrough

To: srao@intotoinc.com, vinay-rc@naturesoft.net, BSingh@Nomadix.com
Subject: RE: IPSec Passthrough
From: BSingh@Nomadix.com
Date: Fri, 2 May 2003 12:20:19 -0700
Cc: msiler@hcin.net, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

For 3. I will add that what is listed is one way of doing things.. In the
Nomadix USG we have the patent-pending iNAT functionality that does away
with the requirement of sequencing multiple IPSec connections to the same
server and adding reliability by reducing the confusion for the server.. And
also it doesn't require keeping track of ESP SPIs as well.. 

-----Original Message-----
From: Srinivasa Rao Addepalli [mailto:srao@intotoinc.com] 
Sent: Friday, May 02, 2003 12:31 PM
To: Vinay K Nallamothu; BSingh@Nomadix.com
Cc: msiler@hcin.net; ipsec@lists.tislabs.com
Subject: Re: IPSec Passthrough

Hi,
   These are the ways to run IPSEC tunnel between two SGs with 
   Firewall/NATs in between the security gateways.

   1. L2TP over IPSEC (rfc3193): It works well and very useful
       to provide remote access for VPN clients. As you may be aware,
       WINXP/WIN2000 comes with built in client.
       Microsoft also provides free client software for WIN98.
       More and more vendors are supporting LNS with IPSEC.

        Disadvantage: More bandwidth is used. 

  2. IPSEC NAT Traversal:
       There is very less penalty on bandwidth compared to L2TP over IPSEC
       (use v2 onwards). Most of the vendors support this feature and is
       interoperable.

  3. NAT boxes having ESP/IKE intelligence:
      In this case, there is no bandwidth penalty. But there are some
disadvantages
      with this:
          A. Can't expect this intelligence to be there in all NAT boxes.
          B. Though many clients can establish tunnels with the corp.
gateway, until
               tunnel is established in both ways, other clients can't
connect to the
              same peer.

Srini
Intoto Inc. 
Enabling Security Infrastructure
3160, De La Cruz Blvd #100
Santa Clara, CA 95054
www.intotoinc.com
----- Original Message ----- 
From: "Vinay K Nallamothu" <vinay-rc@naturesoft.net>
To: <BSingh@Nomadix.com>
Cc: <msiler@hcin.net>; <ipsec@lists.tislabs.com>
Sent: Thursday, May 01, 2003 11:09 PM
Subject: RE: IPSec Passthrough


> On Thu, 2003-05-01 at 23:44, BSingh@Nomadix.com wrote:
> > server. It is dependent on the server implementation to distinguish 2
> > different connections coming from the same IP address (of the NAT
device)
> > and is not a very reliable method of doing things..
> what tricks were used by the NAT-T unware IPsec gateways?
> 
> Few mechanisms i could imagine the IPsec gateways did:
> 1. Use L2TP over IPsec and tie (using firewall rules) the PPP/L2TP
> assigned IP address to the IPsec SA.
> 
> 2. Do some sort of (static?) NAT (again using firewall) on the packets
> coming out an SA so that the packets on the reverse path can be reliably
> channeled to the correct SA.
> 
> Any better ways of doing that?
> 
> vinay

Prev by Date: Re: IPSec Passthrough
Next by Date: Terminology question: "suites" vs "set of cryptographic algorithms"
Prev by thread: Re: IPSec Passthrough
Next by thread: IPSec iterated tunneling
Index(es):
- Date
- Thread