RRAS + NAT + IPSec Tunnel
i have windows server 2008 r2 box running rras acting vpn server and nat. server establishing ipsec tunnel 3rd party.
i've managed ipsec tunnel working, , when attempt ping machine on other network via tunnel, packets correctly routed on tunnel.
the problem 3rd party sees source of these packets not machine on internal network sent them, external ip (the tunnel endpoint ip) of rras server. preventing replies because decryption failing.
how prevent rras applying nat packets moving on ipsec tunnel? want these packets have source of original internal ip came from, other traffic (like web sites) appropriately nat'd.
disable esp encryption. network monitor parsers esp can parse inside esp packet if null-encryption being used , full esp packet captured.
network monitor cannot parse encrypted portions of ipsec-secured esp traffic when encryption performed in software. however, if encryption performed ipsec hardware offload network adapter, esp packets decrypted when network monitor captures them and, result, can parsed , interpreted upper-layer protocols. if need diagnose esp software-encrypted communication, must disable esp encryption , use esp-null encryption changing ipsec policy on both computers.
thanks.
this posting provided "as is" no warranties, , confers no rights.
Windows Server > Network Infrastructure Servers
Comments
Post a Comment