?
Solved

Does NAT break IPSec?

Posted on 2009-04-08
3
Medium Priority
?
402 Views
Last Modified: 2012-05-06
I am trying to find a way to securely handle Microsoft Active Directory replication as well as other Microsoft networking traffic between 2 Windows Server 2003 systems.  Ordinarily I would set up a site to site VPN using SonicWall or NetGear devices.  However, I can't in this situation because one of my servers is a virtual server that is hosted at Triple8 networks.  Thus, I have no way of deploying my own hardware based VPN.

I thought the best way to do this would be to set up IPSec Rules and Security Associations to handle all traffic between the 2 systems.  When the policies and rules are disabled, I can successfully ping back and forth between the 2 systems which tells me that I have successfully set up the firewall rules on the side that I can control.

When I enable the policies and launch ping from the command prompt, I just see the message NEGOTIATING SECURITY over and over.  When I examine the logs on both sides, I see several 541, 542, and 543 messages indicating successful starting and ending of security associations.  I have actually tried numerous systems including Windows XP with different firewalls and networks and observed similar results.

The only system with its own direct public ip address is my virtual server at Triple 8.  The other systems that I have tried are all behind firewalls and are NAT'd.

Any thoughts as to why I cannot get this to actually work? Is there a better way to accomplish my goal?

Thank you,

Angela
0
Comment
Question by:amozart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
dj_relentless earned 500 total points
ID: 24104530
It can work from behind nat but not all nat's are equal. I've seen to work and not work depending on the hardware.
So in your situation you could put a test server on the dmz of your network and test it. Then at least you will know which side is causing the problem.
0
 
LVL 4

Assisted Solution

by:StefanKittel
StefanKittel earned 500 total points
ID: 24104630
Hello,

in general NAT modifies the destination and/or source of the packet so IPSec throws the packet away because it is modified.
Many NAT-router have a IPSEC-passthrough. But not all and not for all situations.

Because you can't remove or modify the NAT-Router your possibilites are limited.

May be you can use a different vpn software to connect. maybe openvpn.

Stefan
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question