Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
7
Replies

Why preshared key should not be used with nat traversal. What is the solution for this problem ?

KAMAL55555
Level 1
Level 1

‎05-12-2014 02:28 AM

I am establishing a VPN using IPSec with preshared support for authentication, but I studied that preshared key should not be used with nat traversal, what is the solution for this.

Labels:
0 Helpful
7 Replies 7

Karsten Iwen
VIP
VIP

‎05-12-2014 03:21 AM

Where did you read that? Of course you can use PSKs while also using NAT-Traversal.

0 Helpful

KAMAL55555
Level 1
Level 1
In response to Karsten Iwen

‎05-12-2014 09:06 PM

Mr. Karsten I am using ipsectools-0.7.2 open source package, where I have a sample racoon.conf configuration file to racoon daemon . In that configuration file it has been mentioned that "With NAT-T you shouldn't use PSK" .

Preview file
4 KB
0 Helpful

Karsten Iwen
VIP
VIP
In response to KAMAL55555

‎05-12-2014 10:41 PM

Sadly, there is no reason for that statement mentioned. I never heard that before, and from the differences from native exchanges to NAT-T I have no idea why you shouldn't use PSKs in that case. Anyone else?

0 Helpful

KAMAL55555
Level 1
Level 1
In response to Karsten Iwen

‎05-14-2014 11:04 PM

Mr. Karsten please go through this document attached (Page 5 paragraph 4) and answer.

Preview file
179 KB
0 Helpful

Karsten Iwen
VIP
VIP
In response to KAMAL55555

‎05-15-2014 12:04 AM

That problem is solved since a very long time; at least most vendors (including Cisco) have solved that problem. I remember a setup I had some years ago with an Astaro-device where the authentication failed due to NAT, but I assume that nowadays every vendor can handle that. Just think about it that the described problem in that document problems is over a decade old.

0 Helpful

KAMAL55555
Level 1
Level 1
In response to Karsten Iwen

‎05-16-2014 02:39 AM

Mr.Karsten can U explain me what happens when a IPsec end point receives first packet of IKE phase 1 negotiation whose source address has been changed to another address(by PAT device) then is this packet accepted by the IPsec end point.

0 Helpful

Karsten Iwen
VIP
VIP
In response to KAMAL55555

‎05-16-2014 02:01 PM

There are two typical scenarios for that:

  1. You have NAT but a fixed IP. That if often the case when there is a DSL-router in front of your VPN gateway and for whatever reason you can't or don't want to operate that device in "Bridge" or "Modem"-Mode. Another scenario is where the VPN gateway sits behind a dedicated Firewall and is natted to the internal DMZ-IP. In that case the VPN-device (1) has a private IP that gets translated to the fixed public IP. On the other VPN-gateway (2) you configure that public IP as the peer-address. Here you can run into problems with older equipment when the peer behind NAT tells the gateway 2 "my identity is 10.10.10.10" (the private IP). But I haven't seen problems with that for quite long time.
  2. You have a dynamic IP with a PAT device. In that case you typically configure one of the various Remote-Access styles where the Hub-gateway doesn't reference the IP of the spoke and therefor the spoke can connect with any IP. Here wildcard-PSKs are used which are not a best practice. In that case the use of digital certificates is the better choice.
0 Helpful
Customers Also Viewed These Support Documents