RE: [nsp] Cisco VPN client and NAT

From: Mati Gil (mgil@servicom2000.com)
Date: Wed May 08 2002 - 04:19:15 EDT


You have to use IPSec over TCP or IPSec over UDP feature.
- IPSec over TCP feature is enabled globally
(Configuration->System->Tunneling Protocols->IPSec->IPsec over TCP).
- IPSec over UDP feature is enabled at group level (Configuration->User
Management: select your group, enable it under 'Mode Config' tab).
Once enabled in the VPN3000, in the VPN Client you decide to use it or not:
Options->Properties-> Enable Transparent Tunneling and choose between 'Allow
IPSec over UDP' or 'Use IPSec over TCP'

Take care that firewalls in front of your Concentrator let pass these ports.

One more thing: if the destination VPN network is also 10.x.x.x you can get
strange results. To send traffic to any other 10.x.x.x destination over the
VPN, your station will first send an ARP request because dest IP address
belongs to its net (that's level 2, no IP, so it won't be sent through the
tunnel). If nobody in your local LAN answers to it, your IP packets will
never be constructed then you'll never reach these destinations. You can add
an static ARP entry to any 10.x.x.x destination you want to reach (any MAC
address will work) and you'll have your IP packet sent through the tunnel.

If the destination network has a different IP addressing then you'll have no
problem.

Mati

-----Mensaje original-----
De: Brian Vowell [mailto:brian@digitalix.net]
Enviado el: miercoles, 08 de mayo de 2002 0:59
Para: cisco-nsp@puck.nether.net
Asunto: [nsp] Cisco VPN client and NAT

Anyone know how to configure a Cisco VPN client in a private net to pass
through a 2600 router doing NAT to connect to a Cisco VPN Concentrator?

    Cisco VPN Client (10.X.X.X)
            |
    Cisco 2620 (204.X.X.X)
            |
    Cisco VPN Concentrator (207.X.X.X)



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:44 EDT