A doubt on IPSEC & NAT
Ghosh, Debashis (CORP, CIM)
Debashis.Ghosh at GEASN.GE.COM
Tue Feb 13 03:39:08 EST 2001
IPSEC can be of two types: AH and ESP. NAT works with ESP only.... here's
how.....
The IPSec Authentication Header (AH) digitally signs the outbound packet,
both data payload and headers, with a hash value appended to the packet,
verifying the identity of the source and destination machines and the
integrity of the payload. The IPSec Encapsulating Security Payload (ESP)
guarantees the integrity and confidentiality of the data in the original
message by combining a secure hash and encryption of either the original
payload by itself, or the headers and payload of the original packet.
NAT is incompatible with Authentication Header protocol, whether used in
transport or tunnel mode. An IPsec VPN using AH protocol digitally signs the
outbound packet, both data payload and headers, with a hash value appended
to the packet. When using AH protocol, packet contents (the data payload)
are not encrypted.
Why this bothers NAT is the last part: a NAT device in between the IPsec
endpoints will rewrite either the source or destination address with one of
its own choosing. The VPN device at the receiving end will verify the
integrity of the incoming packet by computing its own hash value, and will
complain that the hash value appended to the received packet doesn't match.
The VPN device at the receiving end doesn't know about the NAT in the
middle, so it assumes that the data has been altered for nefarious purposes.
IPsec using Encapsulating Security Payload in tunnel mode encapsulates the
entire original packet (including headers) in a new IP packet. The new IP
packet's source address is the outbound address of the sending VPN gateway,
and its destination address is the inbound address of the VPN device at the
receiving end. When using ESP protocol with authentication, the packet
contents (in this case, the entire original packet) are encrypted. The
encrypted contents, but not the new headers, are signed with a hash value
appended to the packet.
This mode (tunnel mode ESP with authentication) is compatible with NAT,
because integrity checks are performed over the combination of the "original
header plus original payload," which is unchanged by a NAT device. Transport
mode ESP with authentication is also compatible with NAT, but is not often
used by itself. Since the hash is computed only over the original payload,
original headers may be rewriten.
In addition, NAT may interfere with IPSec (both ESP and AH) if it prevents
the two VPN gateways from successfully negotiating SAs using ISAKMP/IKE with
certificates. X.509 certificates are signed by a trusted third party (called
a Certificate Authority) in order to bind a user's or device's public key to
some other identifying public characteristic. Once common identifying
characteristic used for VPN gateway devices is external IP address.
If the two VPN gateways exchange signed certificates that bind each
gateway's identity to its IP address, NAT address rewriting will cause IKE
negotiation to fail.
Hope this helps!!
Regards and Thanks,
Debashis
g_________________
Debashis Ghosh
VPN Product Manager - ASPAC,
GE Corporate Information Management
GE Towers #07-00
240 Tanjong Pagar Road,
TeL:65 3263240 ; DC: 533 3240
-----Original Message-----
From: K Anjaneya Sharma [mailto:sharma at BANYANNETWORKS.COM]
Sent: Tuesday, February 13, 2001 3:47 PM
To: VPN at SECURITYFOCUS.COM
Subject: A doubt on IPSEC & NAT
Hi Friends,
I am new to VPN. I have a basic doubt with IPSEC and NAT
Will IPsec and NAT work together. If so how? Can u please explain.
If u have already discussed please provide me pointers for the same.
Thanks
Waitingfor reply
withregards
sharma
VPN is sponsored by SecurityFocus.COM
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list