06-28-2007 12:30 AM
Can someone explain me what exactly meaning of nat-traversal command what it does in vpn topology?
06-28-2007 01:32 AM
Hi
If you have a NAT/PAT device between your vpn client and the vpn headend device this can stop the VPN tunnel working because the port numbers get changed.
In order to get around this you can use nat-traversal which needs to be supported on the client end and the headend device. The IPSEC traffic is encapsulated in UDP packets with port 4500. This allows the NAT to modify the packet without breaking the IPSEC tunnel.
HTH
Jon
06-28-2007 03:26 AM
Adding to Jon's comment, the head end device should automatically detect the receiving connection is through a NAT device or not and then use port 4500 for the handshake.
Unless NAT-T is turned off and at that point, just use IPSec over UDP.
Hope this explains.
Cheers
Gilbert
06-28-2007 09:32 AM
Hi Jon, Gilbert,
I read that there is a security risk in implementing NAT-T. How true is that? Is there something that can be done to reduce the risk?
06-28-2007 11:30 AM
Like what risk?
Where did you read it?
Give me the article where you read about it.
Thanks
Gilbert
06-28-2007 12:46 PM
http://www.ietf.org/rfc/rfc3947.txt
See 8. Security Considerations.
Further, I have read Microsoft articles...
support.microsoft.com/kb/885348
While I intend using my VPN Concentrator in the DMZ with my PIX Firewall, I wanted to be sure....
06-28-2007 11:02 PM
Hi
There are different types of vulnerability
1) Theoretical vulnerabilites ie. in theory it could be done but no one has ever done it.
2) Vulnerabilities where the attacker would need so much access that if they had that access there would be much easier targets to go for.
3) Vulnerabilities which can be exploited without any special access etc.
Together with this you have to balance these vulnerabilities asgainst how likely your company is to be a target.
Reading through your attachment the one i would concentrate on is the use of a group wildcard and pre-shared keys. If you are not already doing it i would strongly recommend you don't use pre-shared keys soley for authentication and use some sort of token based authentication.
HTH
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide