From: Bill Cooley (wcooley@yahoo.com)
Date: Tue Jan 14 2003 - 17:17:00 GMT-3
If anyone cares, Nortel does UDP encapsulation of
IPSEC. Seems to make more sense than TCP
encapsulation. Most VPN's are slow enough without more
overhead. I would like to see Cisco support this as
well.
Bill C.
--- Jim Terry <jtixthus@attbi.com> wrote:
> You have to use IPSEC wrapped in TCP if you want to
> have a VPN tunnel go
> thru PAT. It does not matter if the remote client
> is behind a firewall or
> not. the big thing is if the tunnel destination on
> your central site is on
> your protected network and you have PAT on your FW.
> If you want to
> terminate the tunnel on the PIX you are okay. This
> comes into play when you
> want to terminate the tunnel on the inside of your
> network. Most cheap home
> FW allow PAT pass through but Cisco does not. If
> this will be allowed in
> 6.3 that is cool.
>
> JT
>
> ----- Original Message -----
> From: <d.vndkshn@verizon.net>
> To: "Sam Munzani" <sam@munzani.com>; "kurt kruegel"
> <kurt@cybernex.net>
> Cc: "???Roger" <roger@sysage.com.cn>;
> <ccielab@groupstudy.com>
> Sent: Monday, January 13, 2003 9:34 PM
> Subject: Re: Re: VPN ACROSS PIX
>
>
> > Not sure if the original intention was to do this
> or not, but had an
> interesting conversation with Cisco today regarding
> VPNs and the PIX.
> >
> > The meat of the issue that potentially applies to
> this thread:
> >
> > Currently, IPSEC over TCP is only supported with
> their Unity client, and
> is not supported at all on the PIX, forcing the use
> of a VPN concentrator.
> However, PIX 6.3 is due out in June (again, per
> Cisco) which will support
> IPSEC over TCP.
> >
> > While not a VPN guru, my understanding for the
> need to support IPSEC over
> TCP occurs when the client end is behind a firewall
> (not the PIX that the
> IPSEC will terminate to). That sound correct to
> everyone?
> >
> >
> >
> >
> > >
> > > From: "Sam Munzani" <sam@munzani.com>
> > > Date: 2003/01/07 Tue PM 02:49:44 CST
> > > To: "kurt kruegel" <kurt@cybernex.net>
> > > CC: "???Roger" <roger@sysage.com.cn>,
> <ccielab@groupstudy.com>
> > > Subject: Re: VPN ACROSS PIX
> > >
> > > My post was, for IPSEC standard it will not work
> with PAT. VPN 3030 is
> different animal and uses NAT-T on top of IPSEC
> standard RFC. If you use any
> standard based IPSEC client for VPN(e.g. Safenet) it
> will not work with PAT
> for sure.
> > >
> > > Sam
> > >
> > > > hmmmm i've been using ipsec/nat over udp/10000
> on a 3030
> > > > we've only opened udp/500 for ike and udp/1000
> for nat-t in out dmz
> > > > my pix 501 is behind my dsl and works like a
> charm
> > > > i can even run 2 vpn sessions with 3.6.3
> client
> > > > i believe udp/10000 was the default and you
> had to configure manual
> ipsec/tcp in the client
> > > > i think they've begun to tinker with a nat-t
> autodetect as well.
> > > >
> > > > Sam Munzani wrote:
> > > >
> > > > > Look at the link below.
> > > > >
> > > > >
>
http://www.cisco.com/en/US/products/sw/secursw/ps2276/products_configuration
> _example09186a008010edf4.shtml
> > > > >
> > > > > Currently they support only Cisco Unity
> client with VPN
> concentrators for NAT-T.
> > > > >
> > > > > Sam
> > > > > > what about ipsec/nat traversal ?
> > > > > > works fine on my 501
> > > > > >
> > > > > > Sam Munzani wrote:
> > > > > >
> > > > > > > correct,
> > > > > > > And
> > > > > > > access-list 23 permit esp any host
> VPN-CLIENT
> > > > > > > Then
> > > > > > > static (inside, outside) legal-ip
> vpn-client-lan-ip
> > > > > > >
> > > > > > > This should do it.
> > > > > > >
> > > > > > > Sam
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > From: "???Roger" <roger@sysage.com.cn>
> > > > > > > To: "Sam Munzani" <sam@munzani.com>;
> <ccielab@groupstudy.com>
> > > > > > > Sent: Monday, January 06, 2003 7:43 PM
> > > > > > > Subject: ??: VPN ACROSS PIX
> > > > > > >
> > > > > > > Your means that I should use command
> :''access-list 23 permit
> udp any host(vpn client ) eq 500
> > > > > > >
> > > > > > > -----????-----
> > > > > > > ???: Sam Munzani
> [mailto:sam@munzani.com]
> > > > > > > ????: 2003?1?7? 9:35
> > > > > > > ???: ???Roger; ccielab@groupstudy.com
> > > > > > > ??: Re: VPN ACROSS PIX
> > > > > > >
> > > > > > > You can do ipsec vpn 3 different ways.
> > > > > > > 1. ESP(Encapsulated Security Payload).
> This method encrypts
> payload only not header.
> > > > > > > 2. AH(Authentication Header). This
> method doesn't encrypt
> payload but generates a hash for full packet. This
> method does not work with
> NAT.
> > > > > > > 3. ESP & AH both.
> > > > > > >
> > > > > > > All the methods of IPSEC doesn't work
> with PAT. Only method 1
> works with 1 to 1 NAT. For that to work properly you
> need to open up
> Protocol ESP and UDP/500(if you are doing isakmp).
> > > > > > >
> > > > > > > Sam
> > > > > > >
> > > > > > > Hi sam
> > > > > > > because I am so poor in vpn can you tell
> me more about why open
> up inbound ESP and vpn use udp/500 not tcp
> > > > > > > "inbound ESP" what's means ;
> > > > > > >
> > > > > > > -----????-----
> > > > > > > ???: Sam Munzani
> [mailto:sam@munzani.com]
> > > > > > > ????: 2003?1?6? 23:03
> > > > > > > ???: ???Roger; ccielab@groupstudy.com
> > > > > > > ??: Re: VPN ACROSS PIX
> > > > > > >
> > > > > > > VPN client does not work when you do
> PAT. If you are already
> doing NAT, open up inbound ESP, UDP/500 and you
> would be fine.
> > > > > > >
> > > > > > > Sam Munzani
> > > > > > > CCIE # 6479 (R&S, Security)
> > > > > > >
> > > > > > > >
> > > > > > > > I want to configure vpn client
> (win2000/win98) connect VPN
> gateway (win2000
> > > > > > > > server ) across pix515e(ur)
> > > > > > > > I try to do !But I failure what I
> should to do in pix !how to
> config pix 515e
> > > > > > > >
> > > > > > > > Vpn client
> (win2000/win98)--------**PIX515e
> ----------------------**vpn
> > > > > > > > gateway (win2000 server)
> > > > > > > >
> > > > > > > > Pix configure
> > > > > > > > PIX Version 6.2(2)
> > > > > > > > nameif ethernet0 outside security0
> > > > > > > > nameif ethernet1 inside security100
> > > > > > > > enable password fmAN7Xt.r3eoK4vC
> encrypted
> > > > > > > > passwd aXha9uJboq3B.Dje encrypted
> > > > > > > > hostname pixfirewall
> > > > > > > > fixup protocol ftp 21
> > > > > > > > fixup protocol http 80
> > > > > > > > fixup protocol h323 h225 1720
> > > > > > > > fixup protocol h323 ras 1718-1719
> > > > > > > > fixup protocol ils 389
>
=== message truncated ===
This archive was generated by hypermail 2.1.4 : Sat Feb 01 2003 - 07:33:49 GMT-3