IPsec from Behind NAT

[Robert Hanlon]

I have two machines in a lab environment. One on an open lan and the other
behind a router/firewall that uses NAT.

I can get the two machines to authenticate to each other or at least that's
the information I'm getting from ipsecmon.

The problem I'm having is after they appear to negotiate security I can't
get them to "talk" to each other anymore.
I can no longer ping (or do anyting icmp related) or Map a network share.
From the machine behind the NAT.

Any help would be greatly appreciated. Let me know if you need any other
info...

 

[Steven L Umbach]

Ipsec will not have problems if AH is used. Make sure each side has
compatible encryption and integrity algorithms for security methods and try
using only ESP via tunnel mode. You may also want to look at NAT-T. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;243026
http://support.microsoft.com/default.aspx?scid=kb;EN-US;257225

 

[Steven L Umbach]

Ugh! Should read. Ipsec WILL have problems if AH is used. ---Steve

 

[Jeff Smalley]

With relative recent NAT standards, you couldn't use IPSEC
thru NAT. This is because IPSEC encrypts the packet and
the NAT server can't alter the packet to do its NAT
function. I know that the NAT standard that Windows 2003
server uses supposedly allows for this by changing the
packets in a different fashion. I have not tried that yet.
I'd imagine that other router manufacturers have or will
come out with versions that would follow this standard.

regards,
jeff

 

[Keith W. McCammon]

A brief explanation of why this happens:

http://mccammon.org/articles/vpn_faq.php#Q008