VPN implementation pitfalls on home and business routers

Although IPSec and IKE have been out for a long time, and considered by the Internet community to be mature protocols, you can still find low-level issues in certain designs. When an implementation represents internal keying material that is shorter than expected, it can cause interoperability problems with other implementations. Developers that used draft versions of the IKE NAT traversal specification nay have code causing IKE tunnels to never initiate. Read more...

What NAT ALGs does CDRouter test?

CDRouter includes test cases for the following NAT ALGs: FTP DNS ICMP H.323 (outbound and inbound) MSN Messenger RTSP SIP IPSEC (IKE and IPSEC ESP) PPTP CDRouter also runs several applications through the device under test that do not require a full NAT ALG. These include: HTTP HTTPS SMTP POP3 TFTP

What is IPSEC SPI Tracking?

SPI tracking is a technique some vendors use to support IPSEC pass through with multiple IPSEC streams. It is not perfect since SPI conflicts can still occur and the router can not change the SPI, but it does work most of the time. The router can look at the SPI to distinguish one IPSEC stream from another.

IPSEC pass through testing

IPSEC pass through is a technique for allowing IPSEC packets to pass through a NAT router. By itself, IPSEC does not work when it travels through NAT. Newer IKE and IPSEC implementations support NAT-Traversal which is a technique to detect NAT and switch to UDP encapsultion for IPSEC ESP packets. However, many router vendors have developed a “pass through” technique that allows IPSEC packets to pass through NAT without NAT-T support. Read more...