Firewall making the use of Adaptive AP + VPN (IPSec) very limited per site?


Audience

Hi

I guess it is possible to have multiple Adaptive AP7131 on a site that is using IPSec back to the centralized RFS switch normally?

The partner claims if you have a firewall on every remote site and using the Adaptive AP7131 to tunnel back to a RFS there is limitation on IPSec protocol when going through firewall it only allows one IP on every site. This would mean RFS can only manage one AAP on every site.
Partner mention something about firewall setup with NAT/PAT problem... and the nature of IPSec protocol standard using GRE... etc..

I'm not sure if he is right on this statement.

Is this true?

End of the day they need encrypted management of AAP from RFS which is only possible using VPN/IPSec solution, asfaik.

Is there a better solution than doing this?

regards
Kjell

Submitted by VXD736 on May 04, 2019 Permalink

Thanks Kevin, I will ask the partner to verify if the firewall supports NAT-T.

Mark, you solution does the customer use anykind of NAT in the firewall?

regards

Kjell

Submitted by USER07646 on May 04, 2019 Permalink

Our devices support NAT-T ( http://en.wikipedia.org/wiki/NAT-T) so this should not be a problem. You might want the partner to talk to the Firewall vendor to see what changes they need to made to support NAT-T and see if that works. The alternative would be to terminate the IPSec tunnel directly on the Firewall. Regards, Kevin

Submitted by CWH386 on May 04, 2019 Permalink

Hi Kjell, I have two Adaptive AP5131 running per store (five stores) doing an IPSEC back to the RFS7000.  The stores has a layer two 48 port switch along with a Juniper firewall and Cisco router.  We don't have any AP7131 deployed so I can't speak to that piece. Hope this helps. Cheers, Mark