Ben,
For the simplified explanation, I agree. The one issue that IPSec throws
into the mix is the routing issues.
Jean-Francois,
You don't use NAT as it exists today, rather it is an IPSec Tunnel where the
end points of the tunnel need valid addresses. As long as the source
network can properly route the destination network to the tunnel end point,
you should be OK. The tunnel end point will recognize through its security
policy that the destination is on the other side of an encrypted tunnel.
Where this model breaks down is the case where two organizations both have
the same IP address scheme implemented. For Instance, 192.168.1.0 at
company A and 192.168.1.0 at company B. When the end points of the tunnel
decrypt the packet, the original IP addresses are revealed, creating the
possibility of a packet with source 192.168.1.1 and a destination of
192.168.1.1 to be a valid packet. This creates a routing problem for not
only the host machine, but the destination as well. The idea of dual NAT is
being toyed with to address this issue but is still in the investigative
stage.
Hope I didn't throw you too far off track.
Thanks,
Pat Barry, CISSP NNCNA
Pager 888 993 5416
Fax 954 827 0418
http://www.inacom.com
http://www.isc2.org
http://support.baynetworks.com/training2/certification/certdesig.html
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Ben Nagy
Sent: Monday, August 02, 1999 8:39 PM
To: 'Jean-Fran�ois Grenier'; [EMAIL PROTECTED]
Subject: RE: IPSEC + IPNAT possibilities ?
IPSec works fine with NAT. It's just IP.
Well...pretty damn cool IP, but still IP.
Usually, you IPSec stuff between two network edges, right? Like your
external router to the other team's external router. So, at
that point, like
the very outside of all your NAT and routing and stuff, you're doing
excryption things [1]. As far as internal clients know, the network is
running as per usual.
All you need to do for people inside the networks is make sure that they
know how to get to the other side. You can route, apply NAT
mappings, use
HOSTS files, basically whatever you like, and it should work fine.
Cheers,
[1] Yeah, well this is a simplified explanation, okay? There
are some minor
brain benders in setting up edge routers to do IPSec tunnels in NAT
environments, but nothing too hard.
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct: +61 8 8422 8319 Mobile: +61 414 411 520
-----Original Message-----
From: Jean-Fran�ois Grenier [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 03, 1999 12:52 AM
To: [EMAIL PROTECTED]
Subject: IPSEC + IPNAT possibilities ?
Hi,
Is it possible to use IPNAT with IPSEC ?
Here's the problem :
Supposed that the internal LAN is
192.168.1.0/24 NAT'ted 205.205.102.2/32 portmap tcp/udp 10000:60000
The IPSEC tunnel is
205.205.102.2 to 205.205.103.2
tunnel
10.0.1.0/24 to 10.0.2.0/24
Could it be possible for an internal client (lets say 192.168.1.100) to
reach 10.0.2.0 simply by routing/mapping or do I need something
else, like a
proxy ?
Jean-Francois Grenier
Comact Optimisation
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
