IPSEC and PAT
Bora Akyol
akyol at akyol.org
Fri Sep 14 03:30:40 UTC 2001
I believe that at least one VPN client also does UDP encapsulation for
IPSEC packets specifically for NAT traversal.
Bora
On Thursday, September 13, 2001, at 08:23 PM, Tony Rall wrote:
>
> On Thursday, 2001/09/13 at 21:43 AST, "Steven M. Bellovin"
> <smb at research.att.com> wrote:
>> I repeat -- it doesn't do PAT. Some "routers" -- they're really no
>> such thing, of course; they're NAT boxes and/or bridges -- allow one
>> host behind them to speak IPsec. If a host emits a packet using ESP,
>> it's tagged as *the* IPsec user; return IPsec packets are routed to
>> that host. (Some of these boxes may use manual configuration instead
>> or in addition.) You can't have two IPsec hosts, because there's no
>> way to know which should receive incoming packets -- there's no
>> relationship between inbound and outbound SPIs.
>
> Actually you can have multiple IPSEC sessions hidden behind a NAT box
> with
> a single public IP address - we've found several vendors' "routers" that
> can work in this environment. I believe the key is that each tunnel
> must
> be to distinct remote IP addresses. All the NAT box has available to
> separate the traffic for the different tunnels (which use IP protocol
> 50)
> is the address of the other end of the tunnel, but that is all it needs.
>
> Of course, many users would like to have multiple tunnels to the same
> partner. I don't know how that is possible with current IPSEC
> technology.
>
> Tony Rall
>
More information about the NANOG
mailing list