?
Solved

We set up an ipsec connection using a fortigate connectoid...and it works fine behind NAT..but will our MS L2TP Ipsec VPN work that same?

Posted on 2006-06-08
6
Medium Priority
?
363 Views
Last Modified: 2010-03-19
If not, why not?  Is there something that the fortigate may have that the MS solution does not to make it work with NAT?  Thx.
0
Comment
Question by:Sp0cky
  • 3
  • 3
6 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 16862373
It will not work.

The problem with NAT comes about because the NAT device must translates the source address, and might assign a new source port to maintain a table to be used in routing replies back to the originating host.

Here's what's happening:
The NAT device modifies an outgoing packet by changing the real source address, the address of the sending client, to that of the Internet routable address provided to the NAT device. When packets from the Internet return to the NAT device, it is able to modify the destination address (which arrives using the Internet routable address assigned as the source address of the outgoing packet). How does it know the new source address to use? It knows because it keeps a table of sources addresses and ports mapped to the assigned source address and ports it replaced in outgoing packets. It is able to match the incoming packets and modify the destination address and port. However, because of the built-in security mechanisms of IPSec such tampering with the address is not allowed, hence the packets are dropped. This is why a Win2K to Win2K VPN that must pass through a NAT device can only use PPTP
0
 

Author Comment

by:Sp0cky
ID: 16862454
I am being told this is not an issue whe nusing pre-shared key without ESP...Is this true?
0
 

Author Comment

by:Sp0cky
ID: 16862479
If IPSEC is not natable and PPTP has difficulties passing gre through service providors and or more than one client behind nat, then what good are VPN's?  This is confusing.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 13

Expert Comment

by:prashsax
ID: 16862570
You can use IPSec with ESP.

This can easily pass thru any NAT in between the peers.

0
 
LVL 13

Accepted Solution

by:
prashsax earned 1000 total points
ID: 16862581
0
 

Author Comment

by:Sp0cky
ID: 16862693
ok.  Thank you.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question