[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC and NAT
Has there been any discussion on using IPSEC in conjuction
with Network Address Translation devices? In particular, I'm
having problems using Sun's SKIP Source Release 1.0 on a host
behind an Ascend P-50 that's doing address translation.
Any suggestions would be appreciated.
The subject came up at the NAT BoF at the Munich IETF meeting last week.
Basically, you can't do IPSEC through a NAT box. You have to terminate
the security association at the NAT box, and -- if you want -- create
a new security association from the box to the end system.
The point is simple: IPSEC guards against tampering with the packet,
and NAT boxes by definition tinker with at least the addresses.
Follow-Ups: