Does anyone know if the process of creating phase 1 and phase 2 is a stateful connection or does it create a new connection somewhat like FTP?
Do you have link explaining it?
I have 2 firewalls, firewall A is Inet EDge, Firewall B is the VPN box.
Firewall A provides NAT for all outgoing traffic.ALl traffic goes out a PAT.
Traffic for the VPN incoming is established by using a policy NAT. Not a static. I see traffic for the tunnel hitting the vpn box but phase 2 is never established. I'm afarid phase 2 is using the PAT as the peer. Is this possible?
I know creating a static would solve my problem but I'm mostly interested in how the communication for the tunnel is completed.
Even using static translation .. if your end device does not support NAT-Transparency then you will not be able to establish the tunnel. The main reason is because NAT changes the IP header which results in mismatches between end points. NAT-Traversal overcomes this by encapsulating Ipsec packets on upper layer protocol such as UDP before the NAT header is added. In that way the original Ipsec packet is not modified in transit.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...