XPost: comp.security.firewalls   
   From: steve@vpn-guru.com   
      
   T. Sean Weintz wrote:   
   > . wrote:   
   >   
   >> Hi,   
   >>   
   >> I have a static IP/ADSL line and use a Zyxel Prestige 643 router as   
   >> the modem/router+firewall. The router has NAT enabled and serves as   
   >> the DHCP server for my local LAN.   
   >   
   >   
   > Can't use nortel VPN thru NAT. Period. End of story.   
      
   Not true.  Linksys (and many others) does it very well.  They use   
   IPC-NAT.  It maps the session ID found in the header of the packet and   
   maps it to the internal address.  This is how it can receive IKE data   
   for several workstations on a single UDP port.   
      
   The initial IKE negotiation packet comes from the client with a source   
   and destination of UDP port 500.  If the Nortel sees that the source   
   port has not been changed or NAT'ed it normally will not try to   
   encapsulate in UDP.  If the source port is some other port, the Nortel   
   assumes the device is not "IPSec aware" and will start the UDP   
   encapsulation process.  You are correct in thinking this is where you   
   are breaking.   
      
   The Fix:   
   Set up a one to one NAT.  This will allow normal communications without   
   modifying ports.   
      
   Steve H.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)