[ednog] IPSec vs SOHO NAT

Frank Sweetser fs at WPI.EDU
Mon Jun 13 22:01:45 EDT 2005

Right now, we have a Nortel Contivity VPN solution in place.  Overall it works
quite well, but since we're looking to upgrade it this summer anyway, I was
hoping that someone might have a reccomendation for either a different product
or a way to twiddle the Contivity to fix our one perpetual headache - SOHO
NAT/firewall boxes.

Like most other universities, our users come in using whatever ISP, OS setup,
and firewall solution they happen to use at home.  In the majority of cases,
this means they are using some kind of NAT.  Some of theses boxes try to do
some kind of IPSec forwarding.  In the good cases, they get it more or less
right, and everything works happily.  In the other good cases, they don't pass
IP 50 or 51 at all, the VPN client automatically falls back to UDP
encapsulation, which the firewall lets through, and again, everyone is happy.

There are two unhappy cases, however.  The first is that a good number of those
SOHO routers seem to support IPSec well enough to let a session start up and
work for about 15 minutes, but don't maintain their state tables properly and
end up dropping the connection.  Invariably, these cases become solid when
people take the router out of the picture.  The obvious solution would be to
make UDP encapsulation the default operating mode, but when we tried that we
had all kinds of people who a) had a firewall that didn't let the UDP
encapsulated packets through and b) had absolutely no clue about how to open it

So my question, then, is has anyone else ran into this issue, and if so, how
did you deal with it?

Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution that
WPI Network Engineer          |  is simple, elegant, and wrong. - HL Mencken
    GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC

More information about the ednog mailing list