[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT and IPSEC INCOMPATIBLE???

To: "John Hawkins" <hawkinsj@nortelnetworks.com>
Subject: Re: NAT and IPSEC INCOMPATIBLE???
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Date: Wed, 09 Jun 1999 20:36:55 -0400
cc: "'ipsec'" <ipsec@lists.tislabs.com>
In-Reply-To: Message from "John Hawkins" <hawkinsj@nortelnetworks.com> of "Fri, 04 Jun 1999 13:17:56 EDT." <B1C0925895A4D11193EB0000F8C9926302F032AC@znshd000.us.nortel.com>
Sender: owner-ipsec@lists.tislabs.com

> Looking at rfc1631 (NAT) and rfc2401 (IPSEC Overview) I have not yet
> discovered a reason for conflict in using the two protocols together.  Just
> trying to understand if it is possible.....or if a IPSEC and NAT are just
> not made to function together.  Specifics of the reason this will or won't
> work would be VERY much appreciated.

Yep, NAT breaks IPSEC.

NAT breaks any protocol which protects IP addresses from modification.
AH's checksum includes these header fields, so that's one thing which
breaks.

NAT also needs to tweak transport-layer checksums (since the source
and destination addresses are included in the UDP and TCP checksums).
since those checksums are themselves included in the AH or ESP
integrity check, and may also be encrypted by ESP as well.

					- Bill

Follow-Ups:

Re: NAT and IPSEC INCOMPATIBLE???

From: Makoto Kubota <kubota@flab.fujitsu.co.jp>

Re: NAT and IPSEC INCOMPATIBLE???

From: Pyda Srisuresh <suresh@livingston.com>

Prev by Date: Re: New XAUTH draft
Next by Date: Re: What's the attribute value for group generator (MODP) ?
Prev by thread: NAT and IPSEC INCOMPATIBLE???
Next by thread: Re: NAT and IPSEC INCOMPATIBLE???
Index(es):
- Main
- Thread