[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: NAT and IPSEC INCOMPATIBLE???
> Linux has a patch available that allows NAT to work with IPSec, as long as
> AH is turned off. It isn't perfect,
> but it works quite well.
>
> ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
>
> By the way, there are certain markets where NAT is a requirement (such as
> running IP to the guest rooms in hotels)
> and IPSec is also extremely high profile. It would help everyone out if
> there was a built-in method to scale arbitarily
> large for address translated IPSec connections - just with ESP, I don't
> think that AH is as important to these users.
hmm... so I HAVE to trust my hotel? What kind of customers are they looking
for? If they are looking for the commuter, then NAT is a bad thing since I
will want to encrypt my data back to my corporate network.
PatC
>
> jb
>
> > -----Original Message-----
> > From: Tim Lyons [SMTP:tlyons@digitalvoodoo.org]
> > Sent: Thursday, June 10, 1999 12:20 AM
> > To: Makoto Kubota
> > Cc: ipsec@lists.tislabs.com
> > Subject: Re: NAT and IPSEC INCOMPATIBLE???
> >
> > Makoto,
> >
> > Your Scenario will work.
> >
> > --Tim
> >
> >
> > On Thu, 10 Jun 1999, Makoto Kubota wrote:
> >
> > > > > Looking at rfc1631 (NAT) and rfc2401 (IPSEC Overview) I have not yet
> > > > > discovered a reason for conflict in using the two protocols
> > together. Just
> > > > > trying to understand if it is possible.....or if a IPSEC and NAT are
> > just
> > > > > not made to function together. Specifics of the reason this will or
> > won't
> > > > > work would be VERY much appreciated.
> > > >
> > > > Yep, NAT breaks IPSEC.
> > > >
> > > > NAT breaks any protocol which protects IP addresses from modification.
> > > > AH's checksum includes these header fields, so that's one thing which
> > > > breaks.
> > >
> > > Can I have additional question about this?
> > >
> > > So, if we do NAT before IPSEC, can I usr NAT & IPSec together?
> > > For example,
> > > Home Office ---[NAT]---[IPSec]--->Internet...
> > > Home Office <--[NAT]<--[IPSec]<---Internet...
> > >
> > > Thanks in advance.
> > >
Follow-Ups:
References: