Solved: issues with vpn through firewall/proxy setup

vkarthik · ‎01-29-2003

Hi,

I want to access vpn through firewall/proxy in the client side(VPN Client).

I've installed vpn gateway as pix 515 firewall using Microsoft CA IKE SA.

I want to establish vpn tunnel from my vpn client through a proxy/firewall.

I've tried in some vpn client places where the firewall acts as a linux box in which its enabled with the ipsec and esp NAT functionality. Its working perfectly. But only one concurrent vpn client. Also the first vpn tunnel disconnects when the second user tries without knowing the first established tunnel.

I heard that we can workout this issue using "NAT Taversal" mode which comes in pix ios 6.3 version as like Cisco 3000 Concentrator.

I want to know how the NAT Traversal can solve my issue in which more than one concurrent user without esp nat support in a firewall/proxy setup or only one concurrent user without esp nat support in a firewall/proxy setup.

Thanks,

Karthikeyan V

gfullage · ‎01-29-2003

The VPN client is able to detect that it has gone through a NAT/PAT device on the way to the concentrator/PIX, and then if both ends support it, they'll automatically start NAT-T and encapsulate the IPSec packets into UDP port 4500 packets. These are then able to be NAT'd properly and you won't get the disconnections or the problems you're currently seeing.

The reason you see only one client being able to connect and clients being disconnected when another connects is that your PAT device cannot handle the ISAKMP and IPSec packets properly. This is a fairly common symptom.

PIX v6.3 code will support NAT-T, should be available in March sometime.

View solution in original post

gfullage · ‎01-30-2003

Yes, PIX v6.3 will support NAT-T, and if you use the VPN client, whihc also supports NAT-T, then they'll be able to connect thru Linux devices.

v6.3 should be available in March.