Encrypted IPinIP Tunnels

From: Jason T. Rohm (jtrohm@xxxxxxxxxxxxxxxx)
Date: Fri Dec 15 2000 - 00:15:17 GMT-3

• Next message: Paul Borghese: "We have moved - no more BW problems!"
• Previous message: zheng jiang gu: "anyone go to beiing in 1/17-18"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am having problems with a CET encrypted ip-in-ip tunnel.

The caveat on this tunnel is that it passes through a Pix firewall at which
one of the end-points has a static nat entry. The conduit statement in the
Pix permits all ip-in-ip traffic for the internal ent-point as well as icmp,
telnet, and tcp 1964 (key exchange).

 rtr1 --- pix --- rtr2
           ^
          nat

If I disable the crypto map on the tunnel, the tunnel will operate. However,
if I enable the encryption the packets never make it through the firewall (a
debug shows them going out of the routers, but they never arrive at the
other end).

Does the firewall need to modify the payload to perform the NAT operation?
>From my interpretation of the IPinIP RFC (2003), it wouldn't seem that it
would need to.

I am not particularly familiar with the the PIX configuration. Is there a
restriction on encrypted data through the PIX?

-Jason T. Rohm
 jtrohm@athenet.net

• Next message: Paul Borghese: "We have moved - no more BW problems!"
• Previous message: zheng jiang gu: "anyone go to beiing in 1/17-18"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:26:02 GMT-3