[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC and NAT



> 
> 	 Has there been any discussion on using IPSEC in conjuction
> 	 with Network Address Translation devices?  In particular, I'm
> 	 having problems using Sun's SKIP Source Release 1.0 on a host
> 	 behind an Ascend P-50 that's doing address translation.
> 
> 	 Any suggestions would be appreciated.
> 
> The subject came up at the NAT BoF at the Munich IETF meeting last week.
> Basically, you can't do IPSEC through a NAT box.  You have to terminate
> the security association at the NAT box, and -- if you want -- create
> a new security association from the box to the end system.
> 
> The point is simple:  IPSEC guards against tampering with the packet,
> and NAT boxes by definition tinker with at least the addresses.
> 

Couldn't one tunnel through a NAT?


-- 
 ___________________________________________________________________
|                                                                   |
|Howard Weiss                        phone (410) 381-9400 x201      |
|SPARTA, Inc.                              (301) 621-8145 x201 (DC) |
|9861 Broken Land Parkway, suite 300 fax:  (410) 381-5559           |
|Columbia, MD 21046                  email: hsw@columbia.sparta.com |
|___________________________________________________________________|


Follow-Ups: References: