IPsec and NAT [was: Placement of a VPN Appliance]

[Valerie Anne Bubb <bubbva () incog com>]

> From: Ben Nagy <ben.nagy () marconi com au>
> Subject: RE: [fw-wiz] Placement of a VPN Appliance
> Date: Fri, 5 Jan 2001 08:47:19 +1030 
>
> > UDP encapsulated IPsec? Could you elaborate or direct me to 
> > where I can find
> > more about this? 
>
> Not much to say, really. The concept is that you take the IPSec packet
> you're about to send and wrap it in another UDP packet. All NAT etc gets
> performed on the outer UDP wrapper. When the other VPN device receives the
> packet it discards the wrapper and looks at the IP addressing on the IPSec
> packet within - which will typically have private src/dest IPs.

Is this all done by the same device?  That is, is one device
encrypting, adding the UDP header, and doing the NAT?

That seems like a lot of extra work, and also requires another
machine compatible with your way of wrapping it in a UDP packet
at the other end (instead of any IPsec VPN product to any other
brand's IPsec VPN product).

This would seem to make NAT useless in scenarios  where
you and your partner have overlapping IP addresses on
your internal networks (or, as is often seen when one company
absorbs another), or am I missing something?

Now, if this is just used in the context we were previously
discussing, when the VPN host and the NAT box are two
separate boxes, that would make more sense. (and would
be a very good reason for doing your VPN and NAT with one
product on the same box).

thanks
Valerie

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards