[ednog] IPSec vs SOHO NAT

Julian Y. Koh kohster at northwestern.edu
Tue Jun 14 10:45:34 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----

At 22:01 -0400 06/13/2005, Frank Sweetser wrote:
>I was
>hoping that someone might have a reccomendation for either a different
>product or a way to twiddle the Contivity to fix our one perpetual
>headache - SOHO NAT/firewall boxes.

We have a Cisco VPN 3000 that works great.  Of course, we have also enabled
PPTP, which seems to get through these SOHO NAT boxes a little better than
IPSec in general.  However, the cure-all that works in every case we've
seen is to use the Cisco IPSec client in NAT mode over TCP as opposed to
UDP.  It's probably not an approved standard, but it'll cut through
anything we've ever come across, including weird setups like you find in
hotels and other public access networks.

The other thing that this enables is the ability to have multiple computers
behind the NAT device establish separate VPN tunnels.  The VPN passthrough
functions on the NAT devices usually only hold state for a single device on
the internal side, although I believe newer firmware from some
manufacturers is addressing this.


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.1 (Build 2185)
Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

iQEVAwUBQq7ffC5elU+tqml1AQHyYAgAuH/YGtKBz+V4guQ54L2vdApjuBAfWqHP
J0Dj/8xGW+7WktXAfNXoeCotu5b4UgOhsN7egrQpdoYYUFQxlUrJCwJOmTqUEKFY
E1tk0zXlf/6Sua+DRbX1howI5OOxWx6yXBcIDsCP3DHKPls7v6/pePwzP9Qq47lx
hu/YhUFHyo0ZCXwdVX6V8odUq+S4r91SeSi9/aLiD286FPlnkTfof4WCbz/ZNEMA
ohKMpvH/N4ABe5rudVkUUDB3+u3h7qeKBuLCOM4lCXmrt0rzOf3T+GoAiyeoJppp
nUCUctIcMKBiyw/ZHWt0liqOKYfOcYR0WG8hzorT21vZn4WnXkCgZw==
=ggqX
-----END PGP SIGNATURE-----

-- 
Julian Y. Koh                         <mailto:kohster at northwestern.edu>
Network Engineer                                   <phone:847-467-5780>
Telecommunications and Network Services         Northwestern University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>


More information about the ednog mailing list