CBC (Cipher Block Chaining) is encrypted but not authenticated whereas GCM (Galois/Counter Mode) is encrypted and authenticated. and Cipher block chaining - message authentication code (CCM) mode is an authenticated encryption algorithm designed to provide both authentication and confidentiality during data transfer.
NAT-T is a procedure wich is able to recognize if there is a router using NAT on its connection all the way of the ipsec tunnel you established. So needed packages are going to be encapsulated and UDP is going to be used. Thats it in a very short term. its a payload encapsulation over all .
Thanks for that. That's not how the Palo Alto support tech explained it. But he also said he has seen situations where NAT traversal just "doesn't work." Um... okay. God bless!
Both CBC and GCM are pretty secure however GCM also provides authentication which removes the need for an HMAC SHA hashing function. It is slightly faster compared to CBC because it can take advantage of hardware acceleration. If the hardware at both sides of the tunnel can support it and can make use of hardware-based acceleration then definitely use GCM for best performance.
I think the route interface shows up after you commit. It doesn’t exist yet. Commit, then it exists and you can use it in the route tables and commit again. We do this too many tunnels to vendors. PA-3220’s PA-1420’s and PA-460’s. We also do this for site to site vpn over internet and use ospf with a higher cost. It the metro Ethernet is down, it fails over in a second to cable modem vpn tunnel. BFD and OSPF make it magic… poor mans SD-WAN without paying for all the licenses!
Fun, I used to do some of this. That employer was big on selling Sonicwall. I never really understood it. Fortunately that wasn't why I was hired. Instead I primarily did onsite voip servers (back in the day) and switching (Adtran/ Cisco). Luv'd L3/ L2 switching and routing. Pretty cool watching you, thanks! Now I just rack/ stack & idrac monster EMC servers. I'm just a gorilla with some config on occasion.
Seems like at my last two jobs, they had just decommissioned a Sonicwall just before I hired in. So for years I've "almost had" Sonicwall experience. LoL! God bless!
Isn't NAT traversal the ability to VPN from private IPs over the public internet ? Like work from home folks have to do when their home IP is a 192 address? and I can relate to that mental block on a specific subject. I can learn everything around it but that one topic just puts me to sleep. Subnetting is a good example. I can do it, but I can't sit through a class that teaches it.
As I know understand it, NAT-T just encapsulates the entire packet so that address information in the source address, and data payload will match end to end. In the case of the data passing through an intermediate router that also does NAT, this can cause the source address and the source address in the message payload to not match, causing the data to be dropped. It's still confusing as all get out. I'm just pressing the "I believe" button for now. God bless!
I had to learn GlobalProtect on the fly as well. Funny enough I left that job 3 months ago and where I'm at now it's not my job to touch firewall. Can't if I wanted to.
