A doubt on IPSEC & NAT
Philipp Buehler
lists at FIPS.DE
Wed Feb 14 00:35:57 EST 2001
On 13/02/2001, Joel M Snyder <Joel.Snyder at OPUS1.COM> wrote To VPN at SECURITYFOCUS.COM:
> The problem is worse than that. There are about 10 different ways in
> which the X.509 identity can be presented in the IKE authentication
> payload. IP address is one, but FQDNs are another, and if you bother to
> check FQDNs (many vendors don't), then the identity can still fail.
> Even if you use DN (type 9), which is fairly common among IPSEC vendors,
> you may run afoul of subfields.
Beat the vendor or, if possible, change product (maybe one side is
enough :>)
> But NAT breaks things yet another way: assuming you are able to get
> Phase 1 up with IKE, you still have to negotiate Quick Mode. What IP
> address is going to go into the identification payloads for the QM SA?
Two thoughts:
- NAT incoming packets for their source address before/on the gate
- Aggressive mode ?
> The short answer is that NAT is an evil thing and while it is possible
> to get IPSEC going through NAT, it's a lot better to do it the other way around.
Redesign of existing networks is, uhm, not always an option.
Pick an appropriate software to handle certs correctly, or other
concepts.
Yes, people buy and then start to run into problems (with NAT and other
stuff). But this is bad planning and not a problem of NAT or IPSec.
ciao
--
Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | <double-p>
#1: Break the clue barrier!
#2: Already had buzzword confuseritis ?
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list