[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Cable Modems
You need to allow the Internet Key Exchane (IKE), which uses ISAKMP/Oakley,
through to do the IPSec Phase 1 negotiation. This runs on UDP/500 on both ends.
You can use NAT, as long as you do not use IPSEC AH (Authenticated Header), but only
use IPSEC ESP (Encapsulating Security Payload). ESP Authenticates
most of the outer IP Header, just not the Client IP address portion.
Also the Cable modem must use NAT mechanism for IKE which does not change
UDP port 500 to something else. You can do NAT for the IPSec ESP part, but
ESP is its own protocol number and does not have ports (like TCP and UDP) do,
so the device you are going through has to either understand the IPSec protocols or
be flexible enough to accomodate them.
Call the vendor tech support for the product in question, or your service provider
if they are providing your equipment.
Bob Brandt, 3M, bbbrandt@mmm.com
Steven Roach wrote:
> If a cable modem is using NAT, is there a way around it for SecuRemote, I
> heard if you configure to ISKAMP/OAKLEY that it will work, anyone know if
> this is true?
>
> -Steve
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================