[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSec NAT pass-through: how to do it?

To: "'Feng Ye'" <f_ye@yahoo.com>, <ipsec@lists.tislabs.com>
Subject: RE: IPSec NAT pass-through: how to do it?
From: "Jayant Shukla" <jshukla@trlokom.com>
Date: Sun, 18 Aug 2002 22:46:18 -0700
Importance: Normal
In-Reply-To: <20020816162937.59021.qmail@web11508.mail.yahoo.com>
Sender: owner-ipsec@lists.tislabs.com

If you are building an access box with NAT and no IPsec, all you need to
do is implement IPsec pass-thru and not even think about UDP
encapsulation. 

There is some explanation of IPsec pass-thru in the "Clarification of
potential NAT..." thread. If you have any questions, feel free to send
an e-mail.

As far as patent issue is concerned, you won't have to worry a thing
because IPsec pass-thru does not infringe on "patents" of MS and SSH.
All NAT vendors (linksys etc.) implement IPsec pass-thru. 

Regards,
Jayant
www.trlokom.com 

> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]
> On Behalf Of Feng Ye
> Sent: Friday, August 16, 2002 9:30 AM
> To: ipsec@lists.tislabs.com
> Subject: IPSec NAT pass-through: how to do it?
> 
> Hello,
> 
> I am working on an access box which has NAT, and now
> we need to do IPSec pass through. We need to support
> multiple clients behind the box. The scenario is the
> user uses PC connect to the box and then to the
> company gateway.
> 
> I read the UDP encapsulation draft, but I don't know
> it's the IPSec endpoints (PC, company security
> gateway) responsibility, or the NAT box's
> responsibility to implement the draft? Besides, how do
> I know if the company gateway has this feature (Is
> this draft widely used)?
> 
> From an earlier post, "Clarification of potential NAT
> multiple client solutions" by Mr. Brian Swander, seems
> there're other ways to do it. RFC draft (IPsec-nat
> compatibility reqts) also mentioned that there're ways
> like looking at cookie/SPI, but they has limitations.
> 
> I don't know which way is better, UDP encap, or the
> hacker-like way? Besides, if SSH/Microsoft claims
> patent, how other vendors do this (like netopia,
> linksys, etc.)?
> 
> Can somebody provide more detailed information or
> point me to somewhere? Besides, if somebody can
> provide consulting service please let me know.
> 
> Since I am newbie to IPSec, any info is very
> appreciated!
> 
> Thanks a lot!
> 
> Feng
> 
> __________________________________________________
> Do You Yahoo!?
> HotJobs - Search Thousands of New Jobs
> http://www.hotjobs.com

References:
- IPSec NAT pass-through: how to do it?
  - From: Feng Ye <f_ye@yahoo.com>

Prev by Date: Re: SNMP Management for IPSec Devices
Next by Date: Wireless Security workshop -- advance registration deadline soon
Prev by thread: IPSec NAT pass-through: how to do it?
Next by thread: a lengthy analysis of counter mode and ESP
Index(es):
- Date
- Thread