[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT and IPSEC INCOMPATIBLE???

To: "'pcalhoun@eng.sun.com'" <Pat.Calhoun@Eng.Sun.Com>, "Brothers, John" <johnbr@elastic.com>
Subject: RE: NAT and IPSEC INCOMPATIBLE???
From: "Brothers, John" <johnbr@elastic.com>
Date: Thu, 10 Jun 1999 12:55:58 -0400
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

No - you don't have to trust the hotel.  The hotel can't see your data. You
still get to
encrypt all of your data.  All they will change is the source IP address of
outgoing 
packets (to the 'net), and the destination IP address of incoming packets.

Is that not acceptable/reasonable?

jb
> -----Original Message-----
> From:	pcalhoun@eng.sun.com [SMTP:Pat.Calhoun@Eng.Sun.Com]
> Sent:	Thursday, June 10, 1999 10:34 AM
> To:	Brothers, John
> Cc:	ipsec@lists.tislabs.com
> Subject:	RE: NAT and IPSEC INCOMPATIBLE??? 
> 
> > Linux has a patch available that allows NAT to work with IPSec, as long
> as
> > AH is turned off.  It isn't perfect,
> > but it works quite well.
> > 
> > ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
> > 
> > By the way, there are certain markets where NAT is a requirement (such
> as
> > running IP to the guest rooms in hotels)
> > and IPSec is also extremely high profile.   It would help everyone out
> if
> > there was a built-in method to scale arbitarily
> > large for address translated IPSec connections - just with ESP, I don't
> > think that AH is as important to these users.
> 
> hmm... so I HAVE to trust my hotel? What kind of customers are they
> looking
> for? If they are looking for the commuter, then NAT is a bad thing since I
> will want to encrypt my data back to my corporate network.
> 
> PatC
> > 
> > jb
> > 
> > > -----Original Message-----
> > > From:	Tim Lyons [SMTP:tlyons@digitalvoodoo.org]
> > > Sent:	Thursday, June 10, 1999 12:20 AM
> > > To:	Makoto Kubota
> > > Cc:	ipsec@lists.tislabs.com
> > > Subject:	Re: NAT and IPSEC INCOMPATIBLE??? 
> > > 
> > > Makoto,
> > > 
> > > Your Scenario will work.
> > > 
> > > --Tim
> > > 
> > > 
> > > On Thu, 10 Jun 1999, Makoto Kubota wrote:
> > > 
> > > > > > Looking at rfc1631 (NAT) and rfc2401 (IPSEC Overview) I have not
> yet
> > > > > > discovered a reason for conflict in using the two protocols
> > > together.  Just
> > > > > > trying to understand if it is possible.....or if a IPSEC and NAT
> are
> > > just
> > > > > > not made to function together.  Specifics of the reason this
> will or
> > > won't
> > > > > > work would be VERY much appreciated.
> > > > > 
> > > > > Yep, NAT breaks IPSEC.
> > > > > 
> > > > > NAT breaks any protocol which protects IP addresses from
> modification.
> > > > > AH's checksum includes these header fields, so that's one thing
> which
> > > > > breaks.
> > > > 
> > > > Can I have additional question about this?
> > > > 
> > > > So, if we do NAT before IPSEC, can I usr NAT & IPSec together?
> > > > For example,
> > > >   Home Office ---[NAT]---[IPSec]--->Internet...
> > > >   Home Office <--[NAT]<--[IPSec]<---Internet...
> > > > 
> > > > Thanks in advance.
> > > > 
>

Prev by Date: RE: Comments on draft-ietf-ipsec-ike-01.txt (long)
Next by Date: RE: Comments on draft-ietf-ipsec-ike-01.txt (long)
Prev by thread: RE: NAT and IPSEC INCOMPATIBLE???
Next by thread: Re: NAT and IPSEC INCOMPATIBLE???
Index(es):
- Main
- Thread