Can a Pipeline 85 be configured to pass an "esp" packet?

[PLAU1]

Is there a way to pass an inbound "esp" packet through an Ascend Pipeline 85 firewall? I read in one of the recent threads that there was no "esp bypass" features on SCM, but I was wondering if there was some trick I could do to fool the Pipeline into passing the packet. I'm trying to set up a VPN from a desktop (on a network connected to the Local side of the pipeline) to a remote location and as such, the pipeline needs to be a transparent party to the transaction. If I enable the IPsec rule, then the firewall rejects the packet because it fails to match the pipeline's SPI number (which is non-existent since the pipline didn't establish the tunnel). I tried setting all of the encryption fields to "none" in the VPN Configuration window of SCM, but that didn't seem to do the trick. Am I at a dead end here? Any help or comments would be appreciated.
Thanks!

 

[MaxPipeline]

Quick question: Are you running NAT on your Pipeline?

 

[PLAU1]

The pipeline is running NAT. It also uses a Dynamic IP on the WAN connection.

 

[MaxPipeline]

I believe NAT is your issue. The Pipeline does not have an IPSec pass-through with NAT. Even though your firewall may be configured to allow IPSec protocols, you will not get passed NAT. The reason is because NAT by nature blocks all incoming traffic from reaching your private network. Although you can forward TCP/UDP ports to local hosts, IPSec uses GRE packets which cannot be forwarded with standard port forwarding.

 

[PLAU1]

That makes sense - but it's odd that when the Pipeline is in debug mode, the packet rejection is only seen when the IPsecdblog is active. The error message in this log clearly indicates that the packet is being rejected because the SPI doesn't match. With that type of error, it doesn't seem like NAT would be causing the problem. I wish Lucent would add a bypass feature.