-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ok, I'll take a stab at this one. To all: Please make any necessary
corrections to this post as you see fit (please copy me so I *know*
I've goofed).
NAT breaks encrypted tunnels depending on where you implement the
NAT. If you can NAT before you tunnel, then you are generally OK.
Otherwise, it goes something like this (this is taken from a strictly
IPSec standpoint).
1) When NATing, you are changing the source (or source and port in
the case of PAT) address of outbound packets. IKE breaks on NAT and
PAT, because the encrypting gateway's IP address is used as part of
the authentication. Using the IP address links this authentication
information to the gateway. If you NAT or PAT the packets, the
authentication is broken.
2) Furthermore, if you put the NAT device "outside" the tunnel
source, then you change the source addressing on a packet which has
already been encrypted and checksummed (AH and ESP transport mode),
using the pre-NAT information. At this point the checksums fail, and
the packet is dropped at the receiving end due to integrity failure.
At least half of this is moot, since you have no ESP without IKE (see
paragraph 1). You may be able to use ESP tunnel mode, since the
original packet is hidden, but if you get down in your NAT pool to
the PAT address (typically set as a catch-all), you get screwed
again.
I hope this helps. It's a little confusing, and I may have a point or
two a little mangled, but the gist is, you're better off NATing
before any encryption is applied.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
R. Michael Williams, CISSP, CCNA, MCSE
Nashville, TN
- -----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Ben Nagy
Sent: Monday, April 03, 2000 2:02 AM
To: 'Joel M Snyder'; [EMAIL PROTECTED]
Subject: RE: IPSec and NAT
>
> How are you establishing sessions? Manual keying: will generally
> work (but is so insecure you're wasting your time) IKE: might
> possibly work.
>
> What IKE authentication are you using? Pre-shared secrets: won't
> ever work. Raw public keys: won't ever work. Certificates: might
> possibly work.
OK, most of the rest made perfect sense, but you lost me here. Why
will NAT
break IKE?
As long as your endpoints have entries for the NAT'ed IP Address of
the peer
and whatever auth criteria they need, shouldn't it Just Work? There's
no IP
address info communicated as part of inside of the IKE packets,
AFAIK?
The other thing that confused me was why ESP should work in Tunnel
mode but
not Transport mode. All host implementations will be using transport
mode,
neh? There's very little difference between them that NAT should care
about
- - neither of them cover the IP header in their auth section, and the
ESP
itself doesn't contain any IP addresses.
>
> (shouldn't this qualify as the most-frequently-asked IPSEC
> question?)
Yes. ;)
>
> jms
>
>
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
> [EMAIL PROTECTED] http://www.opus1.com/jms Opus One
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
Cheers,
- --
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
- -
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>
iQA/AwUBOOjW51eNe+8UfuD4EQJx3wCg3QlTVG5Z9LviMZ8FR2cijg8+MBoAn0d6
u3Y5aNouqp/ab2YFfl9z8VYu
=3Ov7
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
