[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT and IPSEC INCOMPATIBLE???

To: kubota@flab.fujitsu.co.jp (Makoto Kubota)
Subject: Re: NAT and IPSEC INCOMPATIBLE???
From: Pyda Srisuresh <suresh@livingston.com>
Date: Wed, 9 Jun 1999 19:09:48 -0700 (PDT)
Cc: ipsec@lists.tislabs.com, hawkinsj@nortelnetworks.com
In-Reply-To: <199906100057.JAA07316@swan.png.flab.fujitsu.co.jp> from "Makoto Kubota" at Jun 10, 99 09:57:15 am
Sender: owner-ipsec@lists.tislabs.com

> 
> > > Looking at rfc1631 (NAT) and rfc2401 (IPSEC Overview) I have not yet
> > > discovered a reason for conflict in using the two protocols together.  Just
> > > trying to understand if it is possible.....or if a IPSEC and NAT are just
> > > not made to function together.  Specifics of the reason this will or won't
> > > work would be VERY much appreciated.
> > 
> > Yep, NAT breaks IPSEC.
> > 
> > NAT breaks any protocol which protects IP addresses from modification.
> > AH's checksum includes these header fields, so that's one thing which
> > breaks.
> 
> Can I have additional question about this?
> 
> So, if we do NAT before IPSEC, can I usr NAT & IPSec together?
> For example,
>   Home Office ---[NAT]---[IPSec]--->Internet...
>   Home Office <--[NAT]<--[IPSec]<---Internet...
> 
> Thanks in advance.
> 

Yes. Take a look at <draft-ietf-nat-security-01.txt>


cheers,
suresh

References:

Re: NAT and IPSEC INCOMPATIBLE???

From: Makoto Kubota <kubota@flab.fujitsu.co.jp>

Prev by Date: Re: NAT and IPSEC INCOMPATIBLE???
Next by Date: Re: NAT and IPSEC INCOMPATIBLE???
Prev by thread: Re: NAT and IPSEC INCOMPATIBLE???
Next by thread: Re: NAT and IPSEC INCOMPATIBLE???
Index(es):
- Main
- Thread