[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT and IPSEC INCOMPATIBLE???
>
> > Looking at rfc1631 (NAT) and rfc2401 (IPSEC Overview) I have not yet
> > discovered a reason for conflict in using the two protocols together. Just
> > trying to understand if it is possible.....or if a IPSEC and NAT are just
> > not made to function together. Specifics of the reason this will or won't
> > work would be VERY much appreciated.
>
> Yep, NAT breaks IPSEC.
>
> NAT breaks any protocol which protects IP addresses from modification.
> AH's checksum includes these header fields, so that's one thing which
> breaks.
>
> NAT also needs to tweak transport-layer checksums (since the source
> and destination addresses are included in the UDP and TCP checksums).
> since those checksums are themselves included in the AH or ESP
> integrity check, and may also be encrypted by ESP as well.
>
> - Bill
>
It is true that End-to-end IPsec will not work with NAT enroute for most
applications in practice. I suggest reading
<draft-ietf-nat-terminology-03.txt> for a discussion on end-to-end IPsec
vis-a-vis NAT.
However, NAT and IPsec can coexist to provide tunnel mode security.
<draft-ietf-nat-security-01.txt> discusses how this combination can work.
cheers,
suresh
References: