ipsec+nat

Laurent Perruche loloz at IFRANCE.COM
Tue Sep 12 02:46:09 EDT 2000


IPsec does work with NAT, if you don't use AH :

NAT is incompatible with AH protocol, whether used in transport or tunnel
mode. An IPsec VPN using AH protocol digitally signs the outbound packets,
both data payload and headers, with a hash value appended to the packet.
When using AH protocol, packet contents (the data payload) are not
encrypted.

Why this bothers NAT is the last part : a NAT device in between the IPsec
endpoints will rewrite either the source or destination address with one of
its own choosing. The VPN device at the receiving end will verify the
integrity of the incoming packet by computing its own hash value, and will
complain that the hash value appended to the received packet doesn't match.
The VPN device at the receiving end doesn't know about the NAT in the
middle, so it assumes that the data has been altered for nefarious purposes.

IPsec using ESP in tunnel mode encapsulates the entire original packet
(including headers) in a new IP packet. The new IP packet's source address
is the outbound address of the sending VPN gateway, and its destination
address is the inbound address of the VPN device at the receiving end. When
using ESP protocol with authentication, the packet contents, but not the new
headers, are signed with a hash value appended to the packet.

This mode (tunnel mode ESP with authentication) is compatible with NAT,
because integrity checks are performed over the combination of the «
original header plus original payload », which is unchanged by a NAT device.
Transport mode ESP with authentication is also compatible with NAT, but is
not often used by itself. Since the hash is computed only over the original
payload, original headers may be rewriten.



----- Message d'origine -----
De : "Martin, Jose Carlos (Jose)" <martinjc at LUCENT.COM>
À : <VPN at SECURITYFOCUS.COM>
Envoyé : jeudi 7 septembre 2000 18:51
Objet : ipsec+nat


Hello all,

I would like to know if NAT and IPSEC are compatible when using ESP (both
tunnel and transport mode).

Thanks in advance,

José Carlos

VPN is sponsored by SecurityFocus.COM


______________________________________________________________________________
Vous avez un site perso ?
2 millions de francs à gagner sur i(france) !
Webmasters : ZE CONCOURS ! http://www.ifrance.com/_reloc/concours.emailif

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list