[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC and NAT



At 05:11 PM 8/18/97 -0400, David Aylesworth wrote:
>Has there been any discussion on using IPSEC in conjuction with Network  
>Address Translation devices?  In particular, I'm having problems using
Sun's  
>SKIP Source Release 1.0 on a host behind an Ascend P-50 that's doing
address  
>translation.
>
I have done extensive review of address translation and IPsec.  I am
preparing an Internet draft covering 16 different NAT senarios for network
to network and 4 senarios with 3 road warrior variants for single system to
network NAT.  All of these only address a single IPsec tunnel.  I have YET
to tackle multiple tunnels in this format, which I believe will be VERY
important.  One thing at a time...

A number of people have seen my senarios and I have not gotten any
negatives on them.  As Steve mentioned, the translation occurs before the
packet enter the tunnel or after they emerge.  I hsve learned that many
IPsec vendors cannot 'couple' their IPsec and NAT functions together.  I
suspect that this will change quickly.  This is one of the important items
I want to see tested at the upcoming AIAG sponsered IPsec workshop, as NAT
is a real world reality (from a co-author of RFC 1918).




Robert Moskowitz
Chrysler Corporation
(810) 758-8212


References: