nanog mailing list archives
Re: IPSEC and PAT
From: Bora Akyol <akyol () akyol org>
Date: Thu, 13 Sep 2001 20:30:40 -0700
I believe that at least one VPN client also does UDP encapsulation for IPSEC packets specifically for NAT traversal.
Bora On Thursday, September 13, 2001, at 08:23 PM, Tony Rall wrote:
On Thursday, 2001/09/13 at 21:43 AST, "Steven M. Bellovin" <smb () research att com> wrote:I repeat -- it doesn't do PAT. Some "routers" -- they're really no such thing, of course; they're NAT boxes and/or bridges -- allow one host behind them to speak IPsec. If a host emits a packet using ESP, it's tagged as *the* IPsec user; return IPsec packets are routed to that host. (Some of these boxes may use manual configuration instead or in addition.) You can't have two IPsec hosts, because there's no way to know which should receive incoming packets -- there's no relationship between inbound and outbound SPIs.Actually you can have multiple IPSEC sessions hidden behind a NAT box witha single public IP address - we've found several vendors' "routers" thatcan work in this environment. I believe the key is that each tunnel mustbe to distinct remote IP addresses. All the NAT box has available toseparate the traffic for the different tunnels (which use IP protocol 50)is the address of the other end of the tunnel, but that is all it needs. Of course, many users would like to have multiple tunnels to the samepartner. I don't know how that is possible with current IPSEC technology.Tony Rall
Current thread:
- IPSEC and PAT Vandy Hamidi (Sep 13)
- <Possible follow-ups>
- Re: IPSEC and PAT Steven M. Bellovin (Sep 13)
- Re: IPSEC and PAT Adam Herscher (Sep 13)
- RE: IPSEC and PAT Vandy Hamidi (Sep 13)
- Re: IPSEC and PAT Steven M. Bellovin (Sep 13)
- RE: IPSEC and PAT Tim Irwin (Sep 13)
- RE: IPSEC and PAT Vandy Hamidi (Sep 13)
- Re: IPSEC and PAT Tony Rall (Sep 13)
- Re: IPSEC and PAT Bora Akyol (Sep 13)
- Re: IPSEC and PAT Chris Grout (Sep 13)
- Re: IPSEC and PAT Adam Herscher (Sep 13)
- Re: IPSEC and PAT Bora Akyol (Sep 13)
- Re: IPSEC and PAT Steven M. Bellovin (Sep 13)