VPN through NAT?
Brian Candler
B.Candler at pobox.com
Mon Aug 14 20:14:07 UTC 2006
On Mon, Aug 14, 2006 at 12:19:30PM -0600, Jeff Norris wrote:
>
> Brian,
>
> IPSEC NAT traversal uses UDP 4500? Who implementation? Cisco, Nortel,
> BSD?
Everybody, because it's the standard. See RFC 3947 and 3948
"Take the common case of the initiator behind the NAT. The initiator
must quickly change to port 4500 once the NAT has been detected to
minimize the window of IPsec-aware NAT problems.
In Main Mode, the initiator MUST change ports when sending the ID
payload if there is NAT between the hosts. The initiator MUST set
both UDP source and destination ports to 4500. All subsequent
packets sent to this peer (including informational notifications)
MUST be sent on port 4500."
> I belive 4500 is Cisco's way of doing it, but not all IPSEC vpn
> clients are the same. I use one that uses UDP port 10000 for nat
> traversal.
There are many proprietary VPN solutions out there, of course, so it sounds
like you have one of these.
I've tested many standard solutions (Microsoft's IPSEC stack, FreeBSD with
ipsec-tools, Linux with ipsec-tools, Cisco IOS, Cisco PIX, Juniper
Netscreen, Juniper ERX, and some smaller vendors). All implement NAT-T
according to the standard. They mostly even interoperate :-)
Regards,
Brian.
More information about the freebsd-isp
mailing list