Re: (NAT) Interactions between IPSEC and NAT

[George Tsirtsis <george@gideon.bt.co.uk>]

On Wed, 4 Feb 1998, Dan Nessett wrote:

> 
> This seems to lead to a model where IPSEC tunnels are used from the end
> system to the NAT box, then from the NAT box to the remote system (or to
> the remote NAT box, which tunnels to the remote system). These are IPSEC
> tunnels not PPTP or L2TP tunnels. This imposes a pretty ugly trust model.
> 

> Anyone thought about this so that they can provide us with a nice clean
> answer :-) ?
> 
> Dan
> 

Dan,

When you have a NAT at the edge of your network the best you can do is to
have an IPSEC tunnel between the NAT and the gateway or the NAT of another
network. This would secure communications between the two networks.

If host to host IPSEC is required then you can do IPSEC from the
host to the NAT, which as you say does not look very good (unless you
absolutely trust the NAT). 

The only other solution that I am aware of is to do 'NAT bypass' as
described is draft-tsirtsis-nat-bypass-00.txt. The limitation of this
proposal is that requires a relatively large network behind the NAT in
order to make sense.

Regards

George
-----------------------------
Internet Transport Research |
BTLABS                      |
--------------------------------------------------------------------------
Notice: This contribution is the personal view of the author and does not
necessarily reflect the technical nor commercial direction of British
Telecommunications plc.
--------------------------------------------------------------------------

---

References:

• Interactions between IPSEC and NAT
• From: Dan Nessett <Dan_Nessett@tdc.3com.com>

---

• Prev by Date: Interactions between IPSEC and NAT
• Next by Date: Re: (NAT) Interactions between IPSEC and NAT (fwd)
• Prev by thread: Interactions between IPSEC and NAT
• Next by thread: Re: Interactions between IPSEC and NAT
• Index(es):
  • Main
  • Thread