Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Box outside firewall?

0 views
Skip to first unread message

Spock

unread,
Jun 21, 2001, 4:19:02 PM6/21/01
to
What I am trying to do looks like this:

cable modem -- [vpn] -- [nat] -- [hub] -- internal network

where [vpn] and [nat] are PCs running Windows NT. [nat] does firewall and
NAT duties, [vpn] terminates an IPSEC (AH) VPN.

This works perfectly if [nat] is connected directly to the internet without
[vpn], but I can't figure out the proper setup once [vpn] is introduced.

I know it is never done this way, but I thought I would try. I need to
terminate an IPSEC VPN before NAT mucks with the headers, and I am having
trouble getting the software to coexist on a single machine. On paper this
setup should work, but when I tried it I couldn't see the internet from
inside my internal network.

Thoughts, references, pointers, ideas, help?

Hansang Bae

unread,
Jun 21, 2001, 7:00:37 PM6/21/01
to
In article <WEsY6.94289$W02.1...@news1.rdc2.on.home.com>,
sp...@nospam.com says...


Is buying a Linksys broadband router (and others like it) not an option?
My Linksys does IPSec passthru just fine.

--
hsb

"Somehow I imagined this experience would be more rewarding" Calvin
********************************************************************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
********************************************************************

Spock

unread,
Jun 21, 2001, 7:38:39 PM6/21/01
to
I certainly appreciate all the answers you keep providing, but I don't have
the knowledge to take advantage of them.

I think the Authenticated Header (AH) version of IPSEC is incompatible with
NAT. That is, incoming packets must be decrypted/verified before NAT has a
chance to alter the header, and outgoing packets must be encoded after any
NAT activity in order to be accepted at the other end. The ESP version of
IPSEC does not suffer from this restriction. Or at least this is my
understanding and I hope I have it right.

My simpleminded solution was to physically install a VPN terminator box (in
my case a PC running Windows NT) outside the NAT boundary. Incoming packets
would be decrypted, verified, and forwarded to the NAT box for further
processing. Outgoing packets would have already been NAT'd and would be
ready for encryption.

This clearly meets the requirements, but since nobody ever does this I am
having trouble finding out how to configure the [vpn] box. When I installed
this setup each box was able to see its immediate neighbours but the [nat]
box could no longer see the internet through the [vpn] box. I suspect all
that is required is a small software program or some simple configuration
settings, but I haven't been able to find what they might be.

If you could expand on your suggestion to use a router I would love to hear
more. As long as it does not perform NAT I don't see any trouble passing
packets through it, but I don't understand where you intended it to be
placed in the architecture. I will try anything that works :-)

Thanks again.

"Hansang Bae" <hbae_@_nyc.rr.com.REMOVE_> wrote in message
news:MPG.159c46916...@24.29.99.46...

0 new messages