[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT and IPSEC INCOMPATIBLE???

To: "Brothers, John" <johnbr@elastic.com>
Subject: RE: NAT and IPSEC INCOMPATIBLE???
From: "pcalhoun@eng.sun.com" <Pat.Calhoun@Eng.Sun.Com>
Date: Thu, 10 Jun 1999 07:33:50 -0700 (PDT)
Cc: ipsec@lists.tislabs.com
In-Reply-To: "Your message with ID" <9DBF3C44F94BD2119C4400105A16BC7F500BAE@MAILMAN>
Reply-To: "pcalhoun@eng.sun.com" <Pat.Calhoun@Eng.Sun.Com>
Sender: owner-ipsec@lists.tislabs.com

> Linux has a patch available that allows NAT to work with IPSec, as long as
> AH is turned off.  It isn't perfect,
> but it works quite well.
> 
> ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
> 
> By the way, there are certain markets where NAT is a requirement (such as
> running IP to the guest rooms in hotels)
> and IPSec is also extremely high profile.   It would help everyone out if
> there was a built-in method to scale arbitarily
> large for address translated IPSec connections - just with ESP, I don't
> think that AH is as important to these users.

hmm... so I HAVE to trust my hotel? What kind of customers are they looking
for? If they are looking for the commuter, then NAT is a bad thing since I
will want to encrypt my data back to my corporate network.

PatC
> 
> jb
> 
> > -----Original Message-----
> > From:	Tim Lyons [SMTP:tlyons@digitalvoodoo.org]
> > Sent:	Thursday, June 10, 1999 12:20 AM
> > To:	Makoto Kubota
> > Cc:	ipsec@lists.tislabs.com
> > Subject:	Re: NAT and IPSEC INCOMPATIBLE??? 
> > 
> > Makoto,
> > 
> > Your Scenario will work.
> > 
> > --Tim
> > 
> > 
> > On Thu, 10 Jun 1999, Makoto Kubota wrote:
> > 
> > > > > Looking at rfc1631 (NAT) and rfc2401 (IPSEC Overview) I have not yet
> > > > > discovered a reason for conflict in using the two protocols
> > together.  Just
> > > > > trying to understand if it is possible.....or if a IPSEC and NAT are
> > just
> > > > > not made to function together.  Specifics of the reason this will or
> > won't
> > > > > work would be VERY much appreciated.
> > > > 
> > > > Yep, NAT breaks IPSEC.
> > > > 
> > > > NAT breaks any protocol which protects IP addresses from modification.
> > > > AH's checksum includes these header fields, so that's one thing which
> > > > breaks.
> > > 
> > > Can I have additional question about this?
> > > 
> > > So, if we do NAT before IPSEC, can I usr NAT & IPSec together?
> > > For example,
> > >   Home Office ---[NAT]---[IPSec]--->Internet...
> > >   Home Office <--[NAT]<--[IPSec]<---Internet...
> > > 
> > > Thanks in advance.
> > >

Follow-Ups:

Re: NAT and IPSEC INCOMPATIBLE???

From: Dan McDonald <danmcd@Eng.Sun.Com>

References:

RE: NAT and IPSEC INCOMPATIBLE???

From: "Brothers, John" <johnbr@elastic.com>

Prev by Date: RE: Comments on draft-ietf-ipsec-ike-01.txt (long)
Next by Date: RE: NAT and IPSEC INCOMPATIBLE???
Prev by thread: RE: NAT and IPSEC INCOMPATIBLE???
Next by thread: Re: NAT and IPSEC INCOMPATIBLE???
Index(es):
- Main
- Thread