A doubt on IPSEC & NAT

Clement Dupuis cdupuis at CCCURE.ORG
Tue Feb 13 13:36:09 EST 2001 

Good day Tina,

I have seen multiple devices, more specifically DSL routers such as Nexland
that annonce DSL passthrough up to 100 clients.

Have you been using such a device and do they really allow IPSEC through

Thanks

Clement

> -----Original Message-----
> From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Tina
> Bird
> Sent: 13 fevrier, 2001 10:51
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: A doubt on IPSEC & NAT
>
>
> NAT causes another problem with IKE, as some unfortunately
> souls trying to use VPN clients behind a firewall have
> discovered.
>
> If you're behind a machine doing address translation that
> also modifies the source port of your IKE packet, it won't
> be recognized by the IKE server.  For some reason that I've
> never understood, IKE expects source and destination port to
> be UDP 500, not just destination port like most of the other
> services out there.  So even if you managed to disable all
> the mechanisms which check for header consistency in the
> IPsec communications, you'd still be in trouble.
>
> I agree with Joel -- NAT is evil, but man!  given the large
> number of places I'm stuck using it, it would be nice to have
> a little more flexibility in the IPsec protocols.
>
> cheers -- tbird
>
> On Tue, 13 Feb 2001, Joel M Snyder wrote:
>
> > Date: Tue, 13 Feb 2001 09:13:33 -0700
> > From: Joel M Snyder <Joel.Snyder at OPUS1.COM>
> > To: VPN at SECURITYFOCUS.COM
> > Subject: Re: A doubt on IPSEC & NAT
> >
> > >
> > > In addition, NAT may interfere with IPSec (both ESP and AH)
> if it prevents
> > > the two VPN gateways from successfully negotiating SAs using
> ISAKMP/IKE with
> > > certificates. X.509 certificates are signed by a trusted
> third party (called
> > > a Certificate Authority) in order to bind a user's or
> device's public key to
> > > some other identifying public characteristic. Once common identifying
> > > characteristic used for VPN gateway devices is external IP address.
> >
> > The problem is worse than that.  There are about 10 different ways in
> > which the X.509 identity can be presented in the IKE authentication
> > payload.  IP address is one, but FQDNs are another, and if you bother to
> > check FQDNs (many vendors don't), then the identity can still fail.
> > Even if you use DN (type 9), which is fairly common among IPSEC vendors,
> > you may run afoul of subfields.
> >
> > And this assumes you want to use certs and not something simple, like
> > PSS.
> >
> > But NAT breaks things yet another way: assuming you are able to get
> > Phase 1 up with IKE, you still have to negotiate Quick Mode.  What IP
> > address is going to go into the identification payloads for the QM SA?
> > Each side has a different view of what the two IP addresses (or, more
> > typically, IP address and set of IP address ranges and subnets on the
> > gateway side) are to be protected with ESP.  If those fail consistency
> > checks or simply don't match, the QM SA might be established,
> but useless.
> >
> > The short answer is that NAT is an evil thing and while it is possible
> > to get IPSEC going through NAT, it's a lot better to do it the
> other way around.
> >
> > jms
> >
> > VPN is sponsored by SecurityFocus.COM
> >
>
> VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html
> life: http://kubarb.phsx.ukans.edu/~tbird
> work: http://www.counterpane.com
>
> VPN is sponsored by SecurityFocus.COM
>
>

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list