[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT and IPSEC INCOMPATIBLE???

To: <kubota@flab.fujitsu.co.jp>, <ipsec@lists.tislabs.com>
Subject: Re: NAT and IPSEC INCOMPATIBLE???
From: "Umesh Muniyappa" <UMUNIYAPPA@novell.com>
Date: Wed, 09 Jun 1999 19:38:48 -0600
Cc: <hawkinsj@nortelnetworks.com>
Sender: owner-ipsec@lists.tislabs.com



>>> Makoto Kubota <kubota@flab.fujitsu.co.jp> 06/09/99 05:57PM >>>
> > Looking at rfc1631 (NAT) and rfc2401 (IPSEC Overview) I have not yet
> > discovered a reason for conflict in using the two protocols together.  Just
> > trying to understand if it is possible.....or if a IPSEC and NAT are just
> > not made to function together.  Specifics of the reason this will or won't
> > work would be VERY much appreciated.
> 
> Yep, NAT breaks IPSEC.
> 
> NAT breaks any protocol which protects IP addresses from modification.
> AH's checksum includes these header fields, so that's one thing which
> breaks.

>>>Can I have additional question about this?

>>>So, if we do NAT before IPSEC, can I usr NAT & IPSec together?
>>>For example,
>>>  Home Office ---[NAT]---[IPSec]--->Internet...
>>>  Home Office <--[NAT]<--[IPSec]<---Internet...

>>> Thanks in advance.

Yes NAT breaks IPSec if NAT is between the tunnel (IPSec) points.
But, NAT can be behind the IPSec. 

umesh

BEGIN:VCARD
VERSION:2.1
X-GWTYPE:USER
FN:Umesh Muniyappa
TEL;WORK:408-967-7753
ORG:Engineer;Border Services Engineering
TEL;PREF;FAX:408-967-5560
EMAIL;WORK;PREF;NGW:UMUNIYAPPA@novell.com
N:Muniyappa;Umesh
TITLE:Engineer
X-GWUSERID:UMUNIYAPPA
END:VCARD

Prev by Date: Re: NAT and IPSEC INCOMPATIBLE???
Next by Date: Re: NAT and IPSEC INCOMPATIBLE???
Prev by thread: Re: NAT and IPSEC INCOMPATIBLE???
Next by thread: RE: NAT and IPSEC INCOMPATIBLE???
Index(es):
- Main
- Thread