Re: (ASCEND)IPSEC over NAT for Pipe75

To: Matt Holdrege <matt@ascend.com>
Subject: Re: (ASCEND)IPSEC over NAT for Pipe75
From: Thomas Falk Claezon <falk@uab.ericsson.se>
Date: Tue, 24 Aug 1999 01:48:31 +0200
Cc: Ascend Mailing List <ascend-users@bungi.com>
In-Reply-To: <4.2.0.58.19990822101226.00a8e100@porky.ascend.com>; from Matt Holdrege on Sun, Aug 22, 1999 at 10:14:04AM -0700
References: <H000067920896a21@MHS> <H000067920896a21@MHS> <19990820131300.57931@uab.ericsson.se> <4.2.0.58.19990822101226.00a8e100@porky.ascend.com>
Sender: owner-ascend-users@max.bungi.com

On 22 August 1999, Matt Holdrege <matt@ascend.com> wrote:
> At 01:13 PM 8/20/99 +0200, Thomas Falk Claezon wrote:
> >IPSEC's job is to make packets unintelligible and unalterable, and NAT
> >relies on being able to understand packets and make helpful modifications
> >to them en route. Because of this IPSEC an NAT doesn't coexist very well.
> >
> >However, if I have got it right, there are circumstances when you can use
> >IPSEC ESP over NAT (but currently not when using a Pipe75 and single
> >IP NAT), IPSEC AH can not be used over a NATed connection.
> 
> We've have a special reverse tunnel NAT which allows IPsec to work through 
> NAT on a Pipeline for a while now. It requires Secure Access and is 
> configured from the Secure Access Manager. See the Secure Access Managers 
> manual for more info.


I find RTNAT to be a nice feature, after a quick reading of Secure 
Connect Managers manual, but isn't it only for IPSEC tunnels that use the
pipeline as a tunnel endpoint server (and only with Ascend HW/SW at 
both ends)? 

We want to use different IPSEC clients on workstations on the SOHO LAN, using
the pipeline (configured for single IP NAT) as gateway to the enterprise
LAN (and it's IPSEC access server).

This is a "simplified picture" of what we need:

  +-------------------------+
  !                         !
  !       SOHO LAN          !                +------------------------+
  !                         !                !                        !
  !  (WS with IPSec client) !                !                        !
  !                         !                !                        !
  +----------+--------------+                !                        !
             !                               !                        !
     [P75, Single IP NAT]                    !                        !
             !                               !                        !
             !                               !                        !
             +----------[  Max 4K  ]         !   Enterprise LAN       !
                             !               !                        !
                             !               !                        !
                  [Corporate IPSEC Tunnel ]  !                        !
                  [ access server         ]  !                        !
                             !               !                        !
                             !               !                        !
                             +---------------+                        !
                                             !                        !
                                             +------------------------+

SOHO WS OS/SW might be:
========================
   Solaris
   OpenBSD
   Linux with FreeSwan
   Win 9x/NT with Nortel, Radguard, Timestep etc IPSec client.


Corporate IPSEC Tunnel Access Server might be:
==============================================
   OpenBSD
   Linux with FreeSwan
   Cisco, Nortel, Radguard, Redcreek, Timestep etc..




It would be nice to know if the setup above can work through a P75 (with
single IP NAT), *before* we install a new WS for Secure Connect Manager. 

We normally use UNIX (Solaris) or sometimes Linux WS to manage our 
pipelines, but Secure Connect Manager isn't available for any of our 
network management OSes!


> 
> ++ Ascend Users Mailing List ++
> To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
> To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Regards Thomas
-- 
 Thomas Falk Claezon             ERICSSON, AXE Research and Development
 Phone:   +46 8  727 34 12       Box 1505
 Mobile:  +46 70 536 31 01       S-125 25 ALVSJO
 Fax:     +46 8  647 82 76       SWEDEN
 Email:   falk@uab.ericsson.se

 URL:             http://www.elfi.org/~falk/
 PGP Public Key:  http://www.elfi.org/~falk/PGP.html
 PGP Fingerprint: 0E 0F 39 7C 1D C4 7E 2C  66 DB 20 49 9B DB BB 56
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

References:
- (ASCEND)IPSEC over NAT for Pipe75
  - From: Edwin_Everett@cargill.com
- Re: (ASCEND)IPSEC over NAT for Pipe75
  - From: Thomas Falk Claezon <falk@uab.ericsson.se>
- Re: (ASCEND)IPSEC over NAT for Pipe75
  - From: Matt Holdrege <matt@ascend.com>

Prev by Date: Re: (ASCEND) Simulating Test Logins w/out PRI
Next by Date: Re: (ASCEND) Simulating Test Logins w/out PRI
Prev by thread: Re: (ASCEND)IPSEC over NAT for Pipe75
Next by thread: (ASCEND) Fat
Index(es):
- Date
- Thread