Re: NAT and IPSEC INCOMPATIBLE???

[Pyda Srisuresh <suresh@livingston.com>]

> 
> > Looking at rfc1631 (NAT) and rfc2401 (IPSEC Overview) I have not yet
> > discovered a reason for conflict in using the two protocols together.  Just
> > trying to understand if it is possible.....or if a IPSEC and NAT are just
> > not made to function together.  Specifics of the reason this will or won't
> > work would be VERY much appreciated.
> 
> Yep, NAT breaks IPSEC.
> 
> NAT breaks any protocol which protects IP addresses from modification.
> AH's checksum includes these header fields, so that's one thing which
> breaks.
> 
> NAT also needs to tweak transport-layer checksums (since the source
> and destination addresses are included in the UDP and TCP checksums).
> since those checksums are themselves included in the AH or ESP
> integrity check, and may also be encrypted by ESP as well.
> 
> 					- Bill
> 

It is true that End-to-end IPsec will not work with NAT enroute for most 
applications in practice. I suggest reading 
<draft-ietf-nat-terminology-03.txt> for a discussion on end-to-end IPsec 
vis-a-vis NAT.

However, NAT and IPsec can coexist to provide tunnel mode security. 
<draft-ietf-nat-security-01.txt> discusses how this combination can work.

cheers,
suresh

---

References:

• Re: NAT and IPSEC INCOMPATIBLE???
• From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>

---

• Prev by Date: Re: NAT and IPSEC INCOMPATIBLE???
• Next by Date: Re: NAT and IPSEC INCOMPATIBLE???
• Prev by thread: Re: NAT and IPSEC INCOMPATIBLE???
• Next by thread: Re: NAT and IPSEC INCOMPATIBLE???
• Index(es):
  • Main
  • Thread