Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
0
Helpful
3
Replies

end to end VPN with NAT

shinakuma123
Level 1
Level 1

‎04-21-2015 02:26 PM - edited ‎03-07-2019 11:40 PM

Can anyone suggest any solutions / workaround / dirty hack / routing change to make such a setup work:

 

- End to End VPN between 2 servers on different networks

- On 1 end, the server is behind a firewall, which NATs its public to an internal IP

 

Compulsory for the setup: 

- There is a need to run AH and ESP on the VPN

 

Problems:

- Due to AH checking for data integrity the packets will be discarded due to the Firewall NATTING the IP's, the payload will differ to the original thus gets discarded.

- ESP will also break communication because the change of IP by NAT implies a change in CRC checksum in tcp/udp packets, now because the firewall does not have access to the encrypted payload, it will not update the CRC checksum after the IP change, thus packets get discarded due to a CRC error in the TCP/IP stack.

 

am seeking suggestions on a workaround which will allow this setup to work with NAT, AH and ESP...

Much appreciated :)

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎04-21-2015 02:41 PM

As far as I am aware NAT and AH are incompatible ie. NAT-T would work if it was just ESP only but not for both.

The only answers I can think of are -

1) assign the public IP directly to the server

2) do the VPN between the firewalls

Jon

0 Helpful

shinakuma123
Level 1
Level 1
In response to Jon Marshall

‎04-21-2015 03:06 PM

Hi Jon

almost thought you was ignoring me with the recent PM's :p.

assigning public IP is not an option as apart from this VPN that server has other uses which needs the protection and access limitation a FW provides.

 

am wondering about the vpn between firewalls idea... issue with that is, yes 1 end is a server behind the firewall but other end which i want to establish a VPN with is a cloud service... not sure how this would be possible? 

 

 

 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to shinakuma123

‎04-22-2015 04:16 AM

No, not ignoring you, just been a bit busy and hadn't noticed.

I'll have a look sometime today but also worth mentioning that there are guys on here with a lot of experience in things I don't necessarily have so it may be better sometimes to post up on here so others can add their thoughts.

You may well get better answers.

For your VPN it depends what's at the other end.

You could consider a client VPN connection from their end to your firewall but again that might not be possible.

Bear in mind giving the server a public IP doesn't mean it isn't protected by the firewall but I suspect it would be problematic anyway unless you moved the server to a DMZ of it's own but this would mean using up another public IP for the firewall's interface.

There isn't really a clean answer to this I'm afraid unless you can not use AH and only ESP in which case you could do it.

Jon

0 Helpful
Customers Also Viewed These Support Documents