What's the deal with NAT?
Brad Kemp
kemp at INDUSRIVER.COM
Mon May 1 11:35:55 EDT 2000
At 02:23 PM 4/28/00 -0500, Biggerstaff, Craig wrote:
>An IPSec "tunnel mode" VPN does its magic by completely encapsulating the
>outbound source packet, headers and all, in a new IP packet. The new IP
>packet's source address is the outbound address of the VPN device, and its
>destination address is the inbound address of the VPN device at the other
>end. Using the IPSec ESP method, the packet contents (in this case, the
>original packet) are encrypted, and both encrypted contents and new headers
>are signed with a hash value appended to the packet.
>
>Why this bothers NAT is the last part: a NAT device in the middle will
>rewrite the new source address with one of its own choosing. The VPN device
>at the other end will verify the integrity of the incoming packet by
>computing its own hash value, and will complain that the hash value appended
>to the received packet doesn't match. The VPN device at the other end
>doesn't know about the NAT in the middle, so it assumes that the data has
>been altered for nefarious purposes.
>
>Hope this clears it up a bit. I can't step through PPTP in the same detail
>without looking at a book, but I would expect a similar problem.
PPTP does not have this problem because PPTP does not check the inetregity of
the packet.
Brad
--- -- --
Brad Kemp
Indus River Networks, Inc. BradKemp at indusriver.com
31 Nagog Park 978-266-8122
Acton, MA 01720 fax 978-266-8111
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list