Hm. Maybe some clarification is called for.
I understand what you're saying here, but for the benefit of M Grenier and
anyone else who might be interested, I'll ramble...
IPSec works absolutely fine and dandy with NAT. The limitation is that no
NAT should take place between IPSec endpoints. This is exactly what Mr
Wolsey just said.
So. There are two scenarios.
If you have lots of client PCs acting as IPSec endpoints (as in they have
special IPSec software on their computers) and these clients' packets pass
through a NAT device on the way to the other end, things may be tricky. In
fact, they may be impossible.
If the IPSec takes place between two network edges, as in all of the traffic
from network A gets tunneled via IPSec by a router / firewall, and then
lands on network B, then it's much easier. Normal NAT will work fine. The
internal packet gets NAT'ed, THEN it gets tunneled. Everything will work
fine. You don't need to worry about identical address spaces, because that's
what NAT was DESIGNED for.
So, basically, the trick is not to use client-side IPSec in a rfc1918
network. Maybe I shouldn't have posted a simplified reply - but it looked
like Jean-Francois was talking about a simple network to network
implementation.
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct: +61 8 8422 8319 Mobile: +61 414 411 520
-----Original Message-----
From: TC Wolsey [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 04, 1999 12:32 AM
To: [EMAIL PROTECTED]
Subject: RE: IPSEC + IPNAT possibilities ?
works fine with NAT. It's just IP.
Well, maybe....
>Usually, you IPSec stuff between two network edges, right? Like your
>external router to the other team's external router. So, at that point,
like
>the very outside of all your NAT and routing and stuff, you're doing
>excryption things [1]. As far as internal clients know, the network is
>running as per usual.
Actually I have been deploying a bit of host to security gateway IPSec
lately. IPSec is definitely IP, but not all IP is supported equally in many
circumstances.
NAT is really problematic when it happens between the IPSec endpoints.
Although an IPSec implementation could possibly have a provision to handle
authentication on transport mode SAs in this circumstance, I have not seen
it. IKE can also be a hassle in this circumstance also - if you translate
more than one IPSec endpoint address to a single IP, than the IKE exchange
must use aggressive mode which may not be acceptable in some cases.
>All you need to do for people inside the networks is make sure that they
>know how to get to the other side. You can route, apply NAT mappings, use
>HOSTS files, basically whatever you like, and it should work fine.
>
>
>Cheers,
>
>[1] Yeah, well this is a simplified explanation, okay? There are some minor
>brain benders in setting up edge routers to do IPSec tunnels in NAT
>environments, but nothing too hard.
>- —
>Ben Nagy
>Network Consultant, CPM&S Group of Companies
>Direct: +61 8 8422 8319 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
