[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT and IPSEC INCOMPATIBLE???

To: John Hawkins <hawkinsj@nortelnetworks.com>, "'ipsec'" <ipsec@lists.tislabs.com>
Subject: RE: NAT and IPSEC INCOMPATIBLE???
From: Stephane Beaulieu <sbeaulieu@TimeStep.com>
Date: Thu, 10 Jun 1999 11:30:49 -0400
Sender: owner-ipsec@lists.tislabs.com

There are alternatives to doing NAT with IPSec.

For example, using the Isakmp-Cfg method
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-isakmp-mode-cfg-04.txt,
the edge device (which in your network does NAT) could allocate a private
address to the remote user.  The remote user then uses this private address
in the inner IP header of the tunneled ESP and/or AH packet.

Ex. Tunneled Packet from remote user to private network...

Outer header Src IP = ISP allocated IP
Outer header Dest IP = Edge Device IP
AH
ESP
Inner header Src IP = Edge Device allocated IP (may be private/illegal
address)
Inner header Dest IP = IP on private network.
data

There are approximately 5 or so vendors who support this today, and many
more who are planning to support it.

Follow-Ups:

RE: NAT and IPSEC INCOMPATIBLE???

From: Gabriel Montenegro <gab@Eng.Sun.Com>

Prev by Date: RE: NAT and IPSEC INCOMPATIBLE???
Next by Date: RE: Comments on draft-ietf-ipsec-ike-01.txt (long)
Prev by thread: Re: NAT and IPSEC INCOMPATIBLE???
Next by thread: RE: NAT and IPSEC INCOMPATIBLE???
Index(es):
- Main
- Thread