IPSec Tunnel through NAT Router - Network

This is a discussion on IPSec Tunnel through NAT Router - Network ; Hi, I try to setup an IPSec Tunnel. ClientA -> NAT_Router -> Internet -> DLink_DFL_200 -> Windows Server What I want todo is setup an IPSec Tunnel from ClientA to DLink_DFL_200. ClientA is in Subnet 192.168.178.0 Windows Server is in ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: IPSec Tunnel through NAT Router

  1. IPSec Tunnel through NAT Router

    Hi,

    I try to setup an IPSec Tunnel.

    ClientA -> NAT_Router -> Internet -> DLink_DFL_200 -> Windows Server

    What I want todo is setup an IPSec Tunnel from ClientA to DLink_DFL_200.

    ClientA is in Subnet 192.168.178.0
    Windows Server is in Subnet 192.168.1.0
    NAT_Router has a dynamic external IP.
    DLink_DFL_200 has a static external IP (lets say: 217.2.12.13)

    Is there a documentation about this? My first question is:
    Do I have to add a route to network 192.168.1.0 on ClientA or is it enough
    that the IPSec Tunnel is specified and applied?

    cu
    Bjoern



  2. Re: IPSec Tunnel through NAT Router

    "Bjoern Wolfgardt" wrote in message
    news:%23ptKs4TDGHA.2320@TK2MSFTNGP12.phx.gbl...
    > Hi,
    >
    > I try to setup an IPSec Tunnel.
    >
    > ClientA -> NAT_Router -> Internet -> DLink_DFL_200 -> Windows Server
    >
    > What I want todo is setup an IPSec Tunnel from ClientA to DLink_DFL_200.


    Setup a VPN from the NAT_ROUTER<->DLINK, route the
    CliantA traffic to the Windows server through that tunnel so
    that it never gets translated.

    If the security is sufficient that is all, but if you must you can
    now use IPSec through the tunnel since it never gets translated
    (and thus never modifies the headers/checksum portions.)

    > ClientA is in Subnet 192.168.178.0
    > Windows Server is in Subnet 192.168.1.0
    > NAT_Router has a dynamic external IP.
    > DLink_DFL_200 has a static external IP (lets say: 217.2.12.13)
    >
    > Is there a documentation about this? My first question is:
    > Do I have to add a route to network 192.168.1.0 on ClientA or is it enough
    > that the IPSec Tunnel is specified and applied?


    You must be able to route -- it is not entirely clear what routes
    you would need to add to make that work (from what you have
    given.)

    You CAN make the VPN with the NAT dynamic address work
    (in general) but it may be tricky.

    Easiest will be if you can get the dynamic side (NAT) to always
    make the connection to the STATIC side but there are ways to
    make it work even with two dynamic addresses.

    Still, you must be able to setup the VPN (or the tunnel) so routing
    has to work.


    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]



  3. Re: IPSec Tunnel through NAT Router

    "Herb Martin" schrieb im Newsbeitrag
    news:u6r02oeDGHA.2320@TK2MSFTNGP11.phx.gbl...
    > "Bjoern Wolfgardt" wrote in message
    > news:%23ptKs4TDGHA.2320@TK2MSFTNGP12.phx.gbl...
    >> Hi,
    >>
    >> I try to setup an IPSec Tunnel.
    >>
    >> ClientA -> NAT_Router -> Internet -> DLink_DFL_200 -> Windows Server
    >>
    >> What I want todo is setup an IPSec Tunnel from ClientA to DLink_DFL_200.

    >
    > Setup a VPN from the NAT_ROUTER<->DLINK, route the
    > CliantA traffic to the Windows server through that tunnel so
    > that it never gets translated.
    >
    > If the security is sufficient that is all, but if you must you can
    > now use IPSec through the tunnel since it never gets translated
    > (and thus never modifies the headers/checksum portions.)
    >
    >> ClientA is in Subnet 192.168.178.0
    >> Windows Server is in Subnet 192.168.1.0
    >> NAT_Router has a dynamic external IP.
    >> DLink_DFL_200 has a static external IP (lets say: 217.2.12.13)
    >>
    >> Is there a documentation about this? My first question is:
    >> Do I have to add a route to network 192.168.1.0 on ClientA or is it
    >> enough that the IPSec Tunnel is specified and applied?

    >
    > You must be able to route -- it is not entirely clear what routes
    > you would need to add to make that work (from what you have
    > given.)
    >
    > You CAN make the VPN with the NAT dynamic address work
    > (in general) but it may be tricky.
    >
    > Easiest will be if you can get the dynamic side (NAT) to always
    > make the connection to the STATIC side but there are ways to
    > make it work even with two dynamic addresses.
    >
    > Still, you must be able to setup the VPN (or the tunnel) so routing
    > has to work.
    >
    >
    > --
    > Herb Martin, MCSE, MVP
    > Accelerated MCSE
    > http://www.LearnQuick.Com
    > [phone number on web site]
    >
    >


    Hi Herb,

    thank you for your answer. I already managed this. The Tunnel is working and
    I now have a better understanding of IPSec (with MS). It is realy hard to
    configure a tunnel with on board tools provided by MS.
    But if your understand it, it is nearly logic ;-)

    thank you again
    Bjoern



  4. Re: IPSec Tunnel through NAT Router

    > Hi Herb,
    >
    > thank you for your answer. I already managed this. The Tunnel is working
    > and I now have a better understanding of IPSec (with MS). It is realy hard
    > to configure a tunnel with on board tools provided by MS.
    > But if your understand it, it is nearly logic ;-)
    >


    Glad you succeeded.

    Yes, ultimately everything in TCP/IP must be logical.
    (The computer can figure it out.)

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

    "Bjoern Wolfgardt" wrote in message
    news:elmp1s7DGHA.1028@TK2MSFTNGP11.phx.gbl...
    > "Herb Martin" schrieb im Newsbeitrag
    > news:u6r02oeDGHA.2320@TK2MSFTNGP11.phx.gbl...
    >> "Bjoern Wolfgardt" wrote in message
    >> news:%23ptKs4TDGHA.2320@TK2MSFTNGP12.phx.gbl...
    >>> Hi,
    >>>
    >>> I try to setup an IPSec Tunnel.
    >>>
    >>> ClientA -> NAT_Router -> Internet -> DLink_DFL_200 -> Windows Server
    >>>
    >>> What I want todo is setup an IPSec Tunnel from ClientA to DLink_DFL_200.

    >>
    >> Setup a VPN from the NAT_ROUTER<->DLINK, route the
    >> CliantA traffic to the Windows server through that tunnel so
    >> that it never gets translated.
    >>
    >> If the security is sufficient that is all, but if you must you can
    >> now use IPSec through the tunnel since it never gets translated
    >> (and thus never modifies the headers/checksum portions.)
    >>
    >>> ClientA is in Subnet 192.168.178.0
    >>> Windows Server is in Subnet 192.168.1.0
    >>> NAT_Router has a dynamic external IP.
    >>> DLink_DFL_200 has a static external IP (lets say: 217.2.12.13)
    >>>
    >>> Is there a documentation about this? My first question is:
    >>> Do I have to add a route to network 192.168.1.0 on ClientA or is it
    >>> enough that the IPSec Tunnel is specified and applied?

    >>
    >> You must be able to route -- it is not entirely clear what routes
    >> you would need to add to make that work (from what you have
    >> given.)
    >>
    >> You CAN make the VPN with the NAT dynamic address work
    >> (in general) but it may be tricky.
    >>
    >> Easiest will be if you can get the dynamic side (NAT) to always
    >> make the connection to the STATIC side but there are ways to
    >> make it work even with two dynamic addresses.
    >>
    >> Still, you must be able to setup the VPN (or the tunnel) so routing
    >> has to work.
    >>
    >>
    >> --
    >> Herb Martin, MCSE, MVP
    >> Accelerated MCSE
    >> http://www.LearnQuick.Com
    >> [phone number on web site]
    >>
    >>

    >
    > Hi Herb,
    >
    > thank you for your answer. I already managed this. The Tunnel is working
    > and I now have a better understanding of IPSec (with MS). It is realy hard
    > to configure a tunnel with on board tools provided by MS.
    > But if your understand it, it is nearly logic ;-)
    >
    > thank you again
    > Bjoern
    >




+ Reply to Thread