06-30-2001
NAT Breaks IPSEC (VPNs)
NAT (Network Address Translation) is not compatible with most VPN technologies. If the VPN is IPSEC based this is certainly the case. Cryptographic systems that use IPSEC (or similar techology) insure the integrity of the IP packet by running cryptographic checksum (kinda) algorithm against the packet. If the packet has changed, it will be dropped.
NAT changes the IP address in the head. This is a violation of the integrity checking mechanism of IPSEC. This is a big problem with NAT. You should consider turning off NAT if you want a clean, not kludgy VPN solution.
If you are not sure of this reply, please post the details of what cryptographic protocols are being used in the VPN tunnel. I can help you if you provide the details on how the tunnel is operating.
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Hello all,
Can someone instruct me on how to change the listening port for ftp ( or any tcp service) from 21 to another port number? Thanks in advance..
-AJ (3 Replies)
Discussion started by: jacobsa
3 Replies
2. UNIX for Dummies Questions & Answers
Just starting to work with unix, wondering if there is any good on-line documentation explaining TCP/UDP ports, how to use them, etc...
Thanks.... (1 Reply)
Discussion started by: eugene_mayo
1 Replies
3. IP Networking
Just wondering if anyone knows of any good on-line documentation on TCP/UDP Ports. Basically i want to know how to check if they are in use, learn how to close them, etc...
Thanks... (5 Replies)
Discussion started by: eugene_mayo
5 Replies
4. UNIX for Advanced & Expert Users
What is the maximum number of TCP ports that can be consumed at any one time? How can I determine what the number is or increase it?
I was under the impression that with our system (UnixWare 7.1.1) 1024 was the maximum under our current Kernel tuning parms, but I think that is really just... (4 Replies)
Discussion started by: dlkox
4 Replies
5. Windows & DOS: Issues & Discussions
In using a music file sharing program (WinMx), I am told that I
cannot make a primary connection (fastest downloads) because I do not
have a TCP and UDP port. I am running Windows Me.What do I do? Thanks. (6 Replies)
Discussion started by: dookster5
6 Replies
6. UNIX for Advanced & Expert Users
hi,
I'm currently running with an issue whereby we are experiencing very poor access speeds to our Informix database. Connections or requests to the DB are taking in excess of 2/3/4 minutes during peek periods during the day. This has only just started to happen but so far we have been unable to... (0 Replies)
Discussion started by: fastyan
0 Replies
7. UNIX for Dummies Questions & Answers
I'm not sure if this is the right place for this post, but I'd be grateful if somebody could please help me. I'm trying to open ports 999, 1982 and 1983 but am not having much luck. I used
iptables -A INPUT -i eth0 -p tcp --sport 999 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i... (2 Replies)
Discussion started by: thehaapyappy
2 Replies
8. IP Networking
Please can somebody help me. I'm trying to open ports 999, 1982 and 1983 but am not having much luck. I used
iptables -A INPUT -i eth0 -p tcp --sport 999 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1982 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables... (5 Replies)
Discussion started by: thehaapyappy
5 Replies
9. Solaris
Hello,
One of our developers is asking for a command/script in Solaris similar to "netstat -anp" in Linux. He gave this output as an example:
root@xxx:~# netstat -anp | grep LISTEN
tcp 0 0 0.0.0.0:7937 0.0.0.0:* LISTEN 16082/nsrexecd
tcp 0 ... (7 Replies)
Discussion started by: vimes
7 Replies
10. Shell Programming and Scripting
My requirement is
I need to write a program in shell scripting to check 2 TCP unused unique port numbers in SOLARIS and I have to lock the same ports so that it will not be used in any other new process and the same port numbers should be used and locked in the LINUX machine to communicate... (2 Replies)
Discussion started by: sreeramr30
2 Replies
IPNAT(8) System Manager's Manual IPNAT(8)
NAME
ipnat - user interface to the NAT subsystem
SYNOPSIS
ipnat [ -dhlnrsvCF ] [ -M core ] [ -N system ] -f <filename>
DESCRIPTION
ipnat opens the filename given (treating "-" as stdin) and parses the file for a set of rules which are to be added or removed from the IP
NAT.
Each rule processed by ipnat is added to the kernels internal lists if there are no parsing problems. Rules are added to the end of the
internal lists, matching the order in which they appear when given to ipnat.
Note that ipf(8) must be enabled (with ipf -E) before NAT is configured, as the same kernel facilities are used for NAT functionality. In
addition, packet forwarding must be enabled. These details may be handled automatically when ipnat is run by rc at normal system startup.
See options(4), sysctl(8), and rc.conf(5) for more information.
OPTIONS
-C delete all entries in the current NAT rule listing (NAT rules)
-d Enable printing of some extra debugging information.
-F delete all active entries in the current NAT translation table (currently active NAT mappings)
-h Print number of hits for each MAP/Redirect filter.
-l Show the list of current NAT table entry mappings.
-n This flag (no-change) prevents ipf from actually making any ioctl calls or doing anything which would alter the currently running
kernel.
-r Remove matching NAT rules rather than add them to the internal lists.
-s Retrieve and display NAT statistics.
-v Turn verbose mode on. Displays information relating to rule processing and active rules/table entries.
FILES
/dev/ipnat
/usr/share/examples/ipf Directory with examples.
DIAGNOSTICS
ioctl(SIOCGNATS): Input/output error Ensure that the necessary kernel functionality is present and ipf enabled with ipf -E.
SEE ALSO
ipnat(5), rc.conf(5), ipf(8), ipfstat(8)
IPNAT(8)