Jon Marshall Thu, 06/28/2007 - 01:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


If you have a NAT/PAT device between your vpn client and the vpn headend device this can stop the VPN tunnel working because the port numbers get changed.


In order to get around this you can use nat-traversal which needs to be supported on the client end and the headend device. The IPSEC traffic is encapsulated in UDP packets with port 4500. This allows the NAT to modify the packet without breaking the IPSEC tunnel.


HTH


Jon

ggilbert Thu, 06/28/2007 - 03:26
User Badges:
  • Cisco Employee,

Adding to Jon's comment, the head end device should automatically detect the receiving connection is through a NAT device or not and then use port 4500 for the handshake.


Unless NAT-T is turned off and at that point, just use IPSec over UDP.


Hope this explains.


Cheers

Gilbert


pankajp Thu, 06/28/2007 - 09:32
User Badges:

Hi Jon, Gilbert,

I read that there is a security risk in implementing NAT-T. How true is that? Is there something that can be done to reduce the risk?

ggilbert Thu, 06/28/2007 - 11:30
User Badges:
  • Cisco Employee,

Like what risk?


Where did you read it?


Give me the article where you read about it.



Thanks

Gilbert

Jon Marshall Thu, 06/28/2007 - 23:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


There are different types of vulnerability


1) Theoretical vulnerabilites ie. in theory it could be done but no one has ever done it.


2) Vulnerabilities where the attacker would need so much access that if they had that access there would be much easier targets to go for.


3) Vulnerabilities which can be exploited without any special access etc.


Together with this you have to balance these vulnerabilities asgainst how likely your company is to be a target.


Reading through your attachment the one i would concentrate on is the use of a group wildcard and pre-shared keys. If you are not already doing it i would strongly recommend you don't use pre-shared keys soley for authentication and use some sort of token based authentication.


HTH


Jon

Actions

This Discussion