[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: NAT and IPSEC INCOMPATIBLE???
Linux has a patch available that allows NAT to work with IPSec, as long as
AH is turned off. It isn't perfect,
but it works quite well.
ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
By the way, there are certain markets where NAT is a requirement (such as
running IP to the guest rooms in hotels)
and IPSec is also extremely high profile. It would help everyone out if
there was a built-in method to scale arbitarily
large for address translated IPSec connections - just with ESP, I don't
think that AH is as important to these users.
jb
> -----Original Message-----
> From: Tim Lyons [SMTP:tlyons@digitalvoodoo.org]
> Sent: Thursday, June 10, 1999 12:20 AM
> To: Makoto Kubota
> Cc: ipsec@lists.tislabs.com
> Subject: Re: NAT and IPSEC INCOMPATIBLE???
>
> Makoto,
>
> Your Scenario will work.
>
> --Tim
>
>
> On Thu, 10 Jun 1999, Makoto Kubota wrote:
>
> > > > Looking at rfc1631 (NAT) and rfc2401 (IPSEC Overview) I have not yet
> > > > discovered a reason for conflict in using the two protocols
> together. Just
> > > > trying to understand if it is possible.....or if a IPSEC and NAT are
> just
> > > > not made to function together. Specifics of the reason this will or
> won't
> > > > work would be VERY much appreciated.
> > >
> > > Yep, NAT breaks IPSEC.
> > >
> > > NAT breaks any protocol which protects IP addresses from modification.
> > > AH's checksum includes these header fields, so that's one thing which
> > > breaks.
> >
> > Can I have additional question about this?
> >
> > So, if we do NAT before IPSEC, can I usr NAT & IPSec together?
> > For example,
> > Home Office ---[NAT]---[IPSec]--->Internet...
> > Home Office <--[NAT]<--[IPSec]<---Internet...
> >
> > Thanks in advance.
> >
Follow-Ups: