Tip

Use transparent tunneling

Many organizations deploy a VPN to allow remote users access to the organizations internal network. Most commonly, IPSec is used, which famously has problems with Network Address Translation. This is a substantial problem, as a substantial number of these remote users are now on broadband connections, using SOHO NAT devices, like the cable modem routers by Linksys, SMC and others.

Fortunately, during the past year, most of these manufacturers have released code that supports a feature called "IPSec pass-through" which, as you might have guessed, manages not to mangle the IPSec tunnel as it passes through NAT (actually, usually Port Address Translation, which is really the problem, as GRE and ESP use Protocols 47 and 50 respectively, which don't use ports like TCP and UDP. This understandably greatly confuses Port Address Translation.)

Another feature widely available now is called "transparent tunneling" which is typically configured on the VPN client and concentrator. This feature takes all of the GRE tunnel, and possibly your IKE exchanges on UDP 500, and tunnels them through a TCP or UDP port of your choice. Turning this on is generally a good idea, if it isn't on by default. But the question now is should you use UDP or TCP to tunnel your tunnels?

The answer to that depends on another firewall - the one at your head-end. Does it allow UDP? UDP is of course stateless and some stateful firewalls block this traffic because they can't keep track

    Requires Free Membership to View

of the connections. UDP is somewhat faster, but it is also less secure, because packets can be easily spoofed. These spoofed packets can't do much damage, as your data is still tunneled inside the encrypted IPSec tunnel, but theoretically less safe. Generally, if you watch your network closely with firewalls, intrusion detection and so on, the connection-oriented TCP will be a better choice.

Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.


This was first published in July 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.