Tuesday, January 25, 2011

Possible to IPSec VPN Tunnel Public IP Addresses?

A customer uses an IBM SAS product over the internet. Traffic flows from the IBM hosting data center to the customer network through Juniper VPN appliances. IBM says they're not tunneling private IP addresses. IBM says they're tunneling public IP addresses. Is this possible? What does this look like in the VPN configuration and in the packets? I'd like to know what the source/destination ip/ports would look like in the encrypted tunneled IPSec Payload and in the IP packet carrying the IPSec Payload.

IPSec Payload: source:1.1.1.101:1001 destination:2.2.2.101:2001 IP Packet: source:1.1.1.1:101 destination:2.2.2.1:201

Is it possible to send public IP addresses through an IPSec VPN tunnel? Is it possible for IBM to send a print job from a server on their network using the static-nat public address over a VPN to a printer at a customer network using the printer's static-nat public address? Or can a VPN not do this? Can a VPN only work with interesting traffic from and to private IP addresses?

  • Of course it's possible. Technically-speaking, there's nothing different about public IP addresses versus RFC1918 addresses other than that fact that RFC1918 addresses have been reserved for private use.

    In your IPsec config, you can match and tunnel public addresses just like you can RFC1918 addresses.

    From ErikA
  • Yes, we tunnel from our corporate network to public IP range in the datacenter. This way, we can allow all traffic from the corp vlans to the datacenter, while restricting flow from the outside to our data centers.

    IBM may not allow tunneling to your private network, since the latter may conflict with their internal networks. For example, the printer you want to connect is in the 10.10.10.0/24, a corp vlan. If the SAS product is in some vlan, say 172.31.0.0/24, which is managed by IBM networking team, they are not going to tunnel the traffic from 172.31.0.0/24 to 10.10.10.0/24, even though such a IPSec tunnel is possible. If they create such a tunnel, they will have problems in the future to make use of their own 10.10.10.0/24 VLAN.

    The best option for you to is this:

    1. Create a tunnel between IBM and public IP range of your company.
    2. Create a NAT and/PAT between publicIP:port to printerIP:port
    From RainDoctor
  • is it possible to NAT a private IP address(inside) to a public IP address (outside) and then send the public IP through IPSec tunnel?

    From karwan

0 comments:

Post a Comment