Date: Mon, 14 Aug 2006 12:19:30 -0600 From: "Jeff Norris" <jeff@norristechs.net> To: Jeff at NorrisTechs <jeff@norristechs.net>, Brian Candler <B.Candler@pobox.com> Cc: freebsd-isp@freebsd.org Subject: Re: VPN through NAT? Message-ID: <200608141219.AA2031742@mail.norristechs.net>
next in thread | raw e-mail | index | archive | help
Brian, IPSEC NAT traversal uses UDP 4500? Who implementation? Cisco, Nortel, BSD? I belive 4500 is Cisco's way of doing it, but not all IPSEC vpn clients are the same. I use one that uses UDP port 10000 for nat traversal. Cheers ---------- Original Message ---------------------------------- From: Brian Candler <B.Candler@pobox.com> Date: Mon, 14 Aug 2006 13:30:17 +0100 >On Sun, Aug 13, 2006 at 06:28:33PM -0600, Jeff at NorrisTechs wrote: >> I assume you have TCP port 1723 forwarding from the internet/dmz to the >> PPTP host?. That should be enough for most PPTP based VPN clients. >> >> It's can be difficult with IPSEC as you have to forward UDP 500, >> Protocol 50 and Protocol 51 to / from the VPN client from your NAT router. > >If the *clients* are behind NAT, when running IPSEC there should be nothing >to do. > >IPSEC uses UDP 500 (outbound) to start the key exchange, detects NAT, and >then switches to UDP 4500 for IPSEC NAT traversal. It also sends NAT >keepalive packets every 20 seconds by default. > >So if you have a NAT-aware IPSEC client, it should work with any old NAT >firewall without any config changes on that firewall, as long as it allows >outbound connections. It was designed to work in hotels etc. > >Microsoft's L2TP over IPSEC works just fine for this (with Win2K you need to >install a NAT traversal patch). I've no idea about PPTP though. I don't use >it, as it's generally considered insecure compared with IPSEC. > >I believe some routers have a "PPTP passthrough" mode, which you could try >turning on (or off) to see if it fixes the problem. > >Regards, > >Brian. >_______________________________________________ >freebsd-isp@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-isp >To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > ________________________________________________________________ Sent via the WebMail system at mail.norristechs.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608141219.AA2031742>