Earthweb.com Practically Networked Home Earthweb developer.com HardwareCentral earthwebdeveloper CrossNodes Datamation
Welcome to PractiallyNetworked
 Get The Newsletter!  
  
Product Reviews

 • Routers
 • Hubs/Switches
 • Wireless Gateway
 • Wireless AP
 • Wireless NIC
 • Network Storage
 • Print Servers
 • Bluetooth Adapters
Troubleshooting
& Tutorials

 • Networking
 • Internet Sharing
 • Security
 • Backgrounders
 • Troubleshooting
    Guides
 • PracNet How To's
User Opinions
Practicallynetworked Glossary

 Find a Network Term  
 
Forums
About
Jobs
Home
Find a Hotspot...

Add this search code to your site!
Copyright 2003Jupitermedia
  Most Popular Tutorials

• Microsoft Vista Home Networking Setup and Options
The most daunting part of upgrading to Windows Vista may be trying to figure out where in the layers of menus the networking and file-sharing options are hidden.

• Do It Yourself: Roll Your Own Network Cables
It may not be something you do everyday, but having the supplies and know-how to whip up a network cable on the spot can be very handy.

• Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.

  Most Popular Reviews

• Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.

• Iomega StorCenter Network Hard Drive
Iomega's fourth generation StorCenter Network Hard Drive brings many of the features found in higher-end storage devices down to an attractive price.

• MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.


 

 
General VPN help can be found on this page, including a link to a very complete Checkpoint Firewall-1 FAQ page.

This Q and A from Netgear support may also help:

Starting with version 3.20, IPSec is supported for one PC in header passthrough mode.

Q: iPSec works for 1 PC on the LAN. Is this correct?

A: Yes. Supports only one IPsec client. We know NAT replaces source ports of outgoing packets with random numbers, thus makes itself able to forward the incoming responses to the corresponding client that originated the requests. However, the UDP port in the IPsec packet is used for key management and can not be changed by NAT. Therefore, only one IPsec client is supported in NAT case.

Q: Any configuration required?

A: 'Default' server set is required for forwarding inbound IPsec ESP tunneling. We have to configure the internal IPsec as a default server (unspecified service port) in menu 15 when it acts a server gateway.

 NOTE: This basically means you have to put the client machine outside the router's firewall.  See this page for security precautions.  You should also set a static IP address on the IPsec client so that the "default server" setting always points to the correct client.

Q: Does it support any PC on the LAN as long as there is only one one is using IPSec at any one time?

A: Yes. ipSec can only support one client at one time.

Q: It looks like there are two modes of IPSec, one of them we support and one of them we don't. Can you explain? 

A: IPsec has two protocols, AH (Authentication Header) and ESP (Encapsulating Security Payload). AH is mainly used to provide integrity only but not confidentiality, i.e., you can see it, but can't touch it. ESP hides the packet contents from prying eyes by encryption, i.e., the payload looks like garbage if you don't have the key.

IPsec provides two modes of operation, transport mode and tunnel mode. Transport mode is mainly for an IP host to protect the data generated locally, while tunnel mode is for a security gateway (SG) to provide IPsec service for other machines lacking IPsec capability.

However, there is no restriction that the IPsec hosts and the SG must be separate machines. RT311 supports IPsec ESP mode, we do not support IP Sec AH mode. 

For more information, there are lots of documentation could be found at:

www.ietf.org/html.charters/ipsec-chart..

IP Sec AH----RFC 2402

IP Sec ESP ----RFC 2406

====From the SecureRemote 4.1 SP2 readme======

UDP Encapsulation Mode enables IKE/IPSec SecuRemote users to traverse Network Address Translation devices, firewalls and other devices that fail to handle IPSec packets. It also enables more than one SecuRemote user to work with IPSec behind a port-mapping NAT device, also known as dynamic NAT, (e.g., FireWall-1 Hide NAT mode) with the same VPN-1/SecuRemote/SecureClient gateway. This is achieved by encapsulating IPSec packets inside UDP datagrams. This option is negotiated in IKE. VPN-1/SecuRemote/ SecureClient supports this feature only in IPSec ESP mode (AH is not supported). 

Two modes of UDP Encapsulation are available:

- Automatic mode in which UDP encapsulation is performed only when the SecuRemote client is behind a dynamic Network Address Translation device configured for Hide mode. In other cases, IPSec packets are transmitted in the standard manner. The server determines how to transmit IPSec packets according to value of the source port in IKE packets.

- Forced mode in which the client can work only in UDP Encapsulation Mode. Communication is enabled only if the gateway supports UDP encapsulation and always uses UDP Encapsulation Mode. Forced mode should be used if the client is behind devices which drop or damage IPSec packets but do not modify IKE packets.








Earthwebnews.com Earthweb developer.com HardwareCentral earthwebdeveloper CrossNodes Datamation


Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums