[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: NAT and IPSEC INCOMPATIBLE???
There are alternatives to doing NAT with IPSec.
For example, using the Isakmp-Cfg method
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-isakmp-mode-cfg-04.txt,
the edge device (which in your network does NAT) could allocate a private
address to the remote user. The remote user then uses this private address
in the inner IP header of the tunneled ESP and/or AH packet.
Ex. Tunneled Packet from remote user to private network...
Outer header Src IP = ISP allocated IP
Outer header Dest IP = Edge Device IP
AH
ESP
Inner header Src IP = Edge Device allocated IP (may be private/illegal
address)
Inner header Dest IP = IP on private network.
data
There are approximately 5 or so vendors who support this today, and many
more who are planning to support it.
Follow-Ups: