>Ben Nagy <[EMAIL PROTECTED]>
>
>IPSec works fine with NAT. It's just IP.
Well, maybe....
>
>Well...pretty damn cool IP, but still IP.
>
>Usually, you IPSec stuff between two network edges, right? Like your
>external router to the other team's external router. So, at that point, like
>the very outside of all your NAT and routing and stuff, you're doing
>excryption things [1]. As far as internal clients know, the network is
>running as per usual.
Actually I have been deploying a bit of host to security gateway IPSec lately. IPSec
is definitely IP, but not all IP is supported equally in many circumstances. In the
best case scenario, the hosts transiting traffic on the IPSec SAs are not aware of its
existence, but in many cases this means manually reducing the MTU size of the hosts.
If the clients that you refer to are the human users on the hosts, than an IP stack on
a host that properly supports Path MTU discovery may make the clients (or admins) life
much simpler.
NAT is really problematic when it happens between the IPSec endpoints. Although an
IPSec implementation could possibly have a provision to handle authentication on
transport mode SAs in this circumstance, I have not seen it. IKE can also be a hassle
in this circumstance also - if you translate more than one IPSec endpoint address to a
single IP, than the IKE exchange must use aggressive mode which may not be acceptable
in some cases.
>All you need to do for people inside the networks is make sure that they
>know how to get to the other side. You can route, apply NAT mappings, use
>HOSTS files, basically whatever you like, and it should work fine.
>
>
>Cheers,
>
>[1] Yeah, well this is a simplified explanation, okay? There are some minor
>brain benders in setting up edge routers to do IPSec tunnels in NAT
>environments, but nothing too hard.
>- —
>Ben Nagy
>Network Consultant, CPM&S Group of Companies
>Direct: +61 8 8422 8319 Mobile: +61 414 411 520
>
>
>- -----Original Message-----
>From: Jean-Frantois Grenier [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, August 03, 1999 12:52 AM
>To: [EMAIL PROTECTED]
>Subject: IPSEC + IPNAT possibilities ?
>
>
>Hi,
>
>Is it possible to use IPNAT with IPSEC ?
>
>Here's the problem :
>
>Supposed that the internal LAN is
>
>192.168.1.0/24 NAT'ted 205.205.102.2/32 portmap tcp/udp 10000:60000
>
>The IPSEC tunnel is
>
>205.205.102.2 to 205.205.103.2
>tunnel
>10.0.1.0/24 to 10.0.2.0/24
>
>Could it be possible for an internal client (lets say 192.168.1.100) to
>reach 10.0.2.0 simply by routing/mapping or do I need something else, like a
>proxy ?
>
>Jean-Francois Grenier
>Comact Optimisation
>
You are already tunneling some private address space, why translate the 192.168.1.0/24
space? Solving an overlapping address problem may be simpler than verifying that the
device at 205.205.102.2 handles all cases of NAT in conjunction with IPSec in a
reasonable manner.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
