[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re[2]: IPSEC and NAT
> Once the packet is received by the target host, it would assume that
> it needs to setup an SA with the NAT instead of with a host with a
> private address (which has been changed by the NAT). Since the NAT was
> not the initiator of the ISAKMP exchange there is alot of confusion.
> One REALLY STUPID way of doing it is to share the private/public keys
> between the host and the NAT (I DO NOT RECCOMEND YOU TO DO THIS AT
> HOME). An alternative is for the NAT to run in tunnel mode on behalf
> of the initiator (but this assumes that the initiator trusts the NAT,
> which it probably does not).
But isn't this the same problem as when a Security Gateway sits in
front of a protected enclave on non-IPSEC aware hosts? Is the SA
between the end-systems or between the Gateway and an end-system (or
between two Gateways)? This also plays into one of the "IPSecond
useful" items as spelled out by Steve Bellovin last Friday -
dynamic discovery of IPSEC topologies.
The answer may be that for a installation using IPSEC, it should not
use an off-the-shelf NAT box but rather an IPSEC-aware security
gateway (e.g., an IPSEC firewall that also does NAT).
--
___________________________________________________________________
| |
|Howard Weiss phone (410) 381-9400 x201 |
|SPARTA, Inc. (301) 621-8145 x201 (DC) |
|9861 Broken Land Parkway, suite 300 fax: (410) 381-5559 |
|Columbia, MD 21046 email: hsw@columbia.sparta.com |
|___________________________________________________________________|
Follow-Ups:
References: