Re: IPSEC and PAT

[Bora Akyol <akyol () akyol org>]

I believe that at least one VPN client also does UDP encapsulation for 
IPSEC packets specifically for NAT traversal.

Bora


On Thursday, September 13, 2001, at 08:23 PM, Tony Rall wrote:

> On Thursday, 2001/09/13 at 21:43 AST, "Steven M. Bellovin"
> <smb () research att com> wrote:
> > I repeat -- it doesn't do PAT.  Some "routers" -- they're really no
> > such thing, of course; they're NAT boxes and/or bridges -- allow one
> > host behind them to speak IPsec.  If a host emits a packet using ESP,
> > it's tagged as *the* IPsec user; return IPsec packets are routed to
> > that host.  (Some of these boxes may use manual configuration instead
> > or in addition.)  You can't have two IPsec hosts, because there's no
> > way to know which should receive incoming packets -- there's no
> > relationship between inbound and outbound SPIs.
>
> Actually you can have multiple IPSEC sessions hidden behind a NAT box 
> with
> a single public IP address - we've found several vendors' "routers" that
> can work in this environment.  I believe the key is that each tunnel 
> must
> be to distinct remote IP addresses.  All the NAT box has available to
> separate the traffic for the different tunnels (which use IP protocol 
> 50)
> is the address of the other end of the tunnel, but that is all it needs.
>
> Of course, many users would like to have multiple tunnels to the same
> partner.  I don't know how that is possible with current IPSEC 
> technology.
>
> Tony Rall