From: d.vndkshn@verizon.net
Date: Tue Jan 14 2003 - 19:00:03 GMT-3
I think you are misunderstanding what my message was.
As it was explained to me, the largest reason to run IPSEC over TCP is when the client is behind a PAT firewall (multiple client addresses translated into another address based upon ports multiple clients can share the same external IP).
Historically, this has not worked due to the originating (client side) firewall. I do not know if this is being fixed. The issue I was mentioning, is the PIX will not terminate an IPSEC over TCP session, the PIX currently can only terminate IPSEC over UDP sessions . The ability to terminate IPSEC over TCP will be in version 6.3
I also agree that the typical solution, and potentially more ideal solution due to overhead is the UDP VPN. My understanding is the TCP based VPNs are to take care of special situations.
>
> From: Bill Cooley <wcooley@yahoo.com>
> Date: 2003/01/14 Tue PM 02:17:00 CST
> To: Jim Terry <jtixthus@attbi.com>, d.vndkshn@verizon.net,
> ccielab@groupstudy.com
> Subject: Re: Re: VPN ACROSS PIX
>
> If anyone cares, Nortel does UDP encapsulation of
> IPSEC. Seems to make more sense than TCP
> encapsulation. Most VPN's are slow enough without more
> overhead. I would like to see Cisco support this as
> well.
>
> Bill C.
> --- Jim Terry <jtixthus@attbi.com> wrote:
> > You have to use IPSEC wrapped in TCP if you want to
> > have a VPN tunnel go
> > thru PAT. It does not matter if the remote client
> > is behind a firewall or
> > not. the big thing is if the tunnel destination on
> > your central site is on
> > your protected network and you have PAT on your FW.
> > If you want to
> > terminate the tunnel on the PIX you are okay. This
> > comes into play when you
> > want to terminate the tunnel on the inside of your
> > network. Most cheap home
> > FW allow PAT pass through but Cisco does not. If
> > this will be allowed in
> > 6.3 that is cool.
> >
> > JT
> >
> > ----- Original Message -----
> > From: <d.vndkshn@verizon.net>
> > To: "Sam Munzani" <sam@munzani.com>; "kurt kruegel"
> > <kurt@cybernex.net>
> > Cc: "???Roger" <roger@sysage.com.cn>;
> > <ccielab@groupstudy.com>
> > Sent: Monday, January 13, 2003 9:34 PM
> > Subject: Re: Re: VPN ACROSS PIX
> >
> >
> > > Not sure if the original intention was to do this
> > or not, but had an
> > interesting conversation with Cisco today regarding
> > VPNs and the PIX.
> > >
> > > The meat of the issue that potentially applies to
> > this thread:
> > >
> > > Currently, IPSEC over TCP is only supported with
> > their Unity client, and
> > is not supported at all on the PIX, forcing the use
> > of a VPN concentrator.
> > However, PIX 6.3 is due out in June (again, per
> > Cisco) which will support
> > IPSEC over TCP.
> > >
> > > While not a VPN guru, my understanding for the
> > need to support IPSEC over
> > TCP occurs when the client end is behind a firewall
> > (not the PIX that the
> > IPSEC will terminate to). That sound correct to
> > everyone?
> > >
> > >
> > >
> > >
> > > >
> > > > From: "Sam Munzani" <sam@munzani.com>
> > > > Date: 2003/01/07 Tue PM 02:49:44 CST
> > > > To: "kurt kruegel" <kurt@cybernex.net>
> > > > CC: "???Roger" <roger@sysage.com.cn>,
> > <ccielab@groupstudy.com>
> > > > Subject: Re: VPN ACROSS PIX
> > > >
> > > > My post was, for IPSEC standard it will not work
> > with PAT. VPN 3030 is
> > different animal and uses NAT-T on top of IPSEC
> > standard RFC. If you use any
> > standard based IPSEC client for VPN(e.g. Safenet) it
> > will not work with PAT
> > for sure.
> > > >
> > > > Sam
> > > >
> > > > > hmmmm i've been using ipsec/nat over udp/10000
> > on a 3030
> > > > > we've only opened udp/500 for ike and udp/1000
> > for nat-t in out dmz
> > > > > my pix 501 is behind my dsl and works like a
> > charm
> > > > > i can even run 2 vpn sessions with 3.6.3
> > client
> > > > > i believe udp/10000 was the default and you
> > had to configure manual
> > ipsec/tcp in the client
> > > > > i think they've begun to tinker with a nat-t
> > autodetect as well.
> > > > >
> > > > > Sam Munzani wrote:
> > > > >
> > > > > > Look at the link below.
> > > > > >
> > > > > >
> >
> http://www.cisco.com/en/US/products/sw/secursw/ps2276/products_configuration
> > _example09186a008010edf4.shtml
> > > > > >
> > > > > > Currently they support only Cisco Unity
> > client with VPN
> > concentrators for NAT-T.
> > > > > >
> > > > > > Sam
> > > > > > > what about ipsec/nat traversal ?
> > > > > > > works fine on my 501
> > > > > > >
> > > > > > > Sam Munzani wrote:
> > > > > > >
> > > > > > > > correct,
> > > > > > > > And
> > > > > > > > access-list 23 permit esp any host
> > VPN-CLIENT
> > > > > > > > Then
> > > > > > > > static (inside, outside) legal-ip
> > vpn-client-lan-ip
> > > > > > > >
> > > > > > > > This should do it.
> > > > > > > >
> > > > > > > > Sam
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "???Roger" <roger@sysage.com.cn>
> > > > > > > > To: "Sam Munzani" <sam@munzani.com>;
> > <ccielab@groupstudy.com>
> > > > > > > > Sent: Monday, January 06, 2003 7:43 PM
> > > > > > > > Subject: ??: VPN ACROSS PIX
> > > > > > > >
> > > > > > > > Your means that I should use command
> > :''access-list 23 permit
> > udp any host(vpn client ) eq 500
> > > > > > > >
> > > > > > > > -----????-----
> > > > > > > > ???: Sam Munzani
> > [mailto:sam@munzani.com]
> > > > > > > > ????: 2003?1?7? 9:35
> > > > > > > > ???: ???Roger; ccielab@groupstudy.com
> > > > > > > > ??: Re: VPN ACROSS PIX
> > > > > > > >
> > > > > > > > You can do ipsec vpn 3 different ways.
> > > > > > > > 1. ESP(Encapsulated Security Payload).
> > This method encrypts
> > payload only not header.
> > > > > > > > 2. AH(Authentication Header). This
> > method doesn't encrypt
> > payload but generates a hash for full packet. This
> > method does not work with
> > NAT.
> > > > > > > > 3. ESP & AH both.
> > > > > > > >
> > > > > > > > All the methods of IPSEC doesn't work
> > with PAT. Only method 1
> > works with 1 to 1 NAT. For that to work properly you
> > need to open up
> > Protocol ESP and UDP/500(if you are doing isakmp).
> > > > > > > >
> > > > > > > > Sam
> > > > > > > >
> > > > > > > > Hi sam
> > > > > > > > because I am so poor in vpn can you tell
> > me more about why open
> > up inbound ESP and vpn use udp/500 not tcp
> > > > > > > > "inbound ESP" what's means ;
> > > > > > > >
> > > > > > > > -----????-----
> > > > > > > > ???: Sam Munzani
> > [mailto:sam@munzani.com]
> > > > > > > > ????: 2003?1?6? 23:03
> > > > > > > > ???: ???Roger; ccielab@groupstudy.com
> > > > > > > > ??: Re: VPN ACROSS PIX
> > > > > > > >
> > > > > > > > VPN client does not work when you do
> > PAT. If you are already
> > doing NAT, open up inbound ESP, UDP/500 and you
> > would be fine.
> > > > > > > >
> > > > > > > > Sam Munzani
> > > > > > > > CCIE # 6479 (R&S, Security)
> > > > > > > >
> > > > > > > > >
> > > > > > > > > I want to configure vpn client
> > (win2000/win98) connect VPN
> > gateway (win2000
> > > > > > > > > server ) across pix515e(ur)
> > > > > > > > > I try to do !But I failure what I
> > should to do in pix !how to
> > config pix 515e
> > > > > > > > >
> > > > > > > > > Vpn client
> > (win2000/win98)--------**PIX515e
> > ----------------------**vpn
> > > > > > > > > gateway (win2000 server)
> > > > > > > > >
> > > > > > > > > Pix configure
> > > > > > > > > PIX Version 6.2(2)
> > > > > > > > > nameif ethernet0 outside security0
> > > > > > > > > nameif ethernet1 inside security100
> > > > > > > > > enable password fmAN7Xt.r3eoK4vC
> > encrypted
> > > > > > > > > passwd aXha9uJboq3B.Dje encrypted
> > > > > > > > > hostname pixfirewall
> > > > > > > > > fixup protocol ftp 21
> > > > > > > > > fixup protocol http 80
> > > > > > > > > fixup protocol h323 h225 1720
> > > > > > > > > fixup protocol h323 ras 1718-1719
> > > > > > > > > fixup protocol ils 389
> >
> === message truncated ===
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
.
This archive was generated by hypermail 2.1.4 : Sat Feb 01 2003 - 07:33:49 GMT-3