[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC and NAT
At 05:11 PM 8/18/97 -0400, David Aylesworth wrote:
>Has there been any discussion on using IPSEC in conjuction with Network
>Address Translation devices? In particular, I'm having problems using
Sun's
>SKIP Source Release 1.0 on a host behind an Ascend P-50 that's doing
address
>translation.
>
I have done extensive review of address translation and IPsec. I am
preparing an Internet draft covering 16 different NAT senarios for network
to network and 4 senarios with 3 road warrior variants for single system to
network NAT. All of these only address a single IPsec tunnel. I have YET
to tackle multiple tunnels in this format, which I believe will be VERY
important. One thing at a time...
A number of people have seen my senarios and I have not gotten any
negatives on them. As Steve mentioned, the translation occurs before the
packet enter the tunnel or after they emerge. I hsve learned that many
IPsec vendors cannot 'couple' their IPsec and NAT functions together. I
suspect that this will change quickly. This is one of the important items
I want to see tested at the upcoming AIAG sponsered IPsec workshop, as NAT
is a real world reality (from a co-author of RFC 1918).
Robert Moskowitz
Chrysler Corporation
(810) 758-8212
References: