IPSEC and PAT

Bora Akyol akyol at akyol.org
Fri Sep 14 03:30:40 UTC 2001


I believe that at least one VPN client also does UDP encapsulation for 
IPSEC packets specifically for NAT traversal.

Bora


On Thursday, September 13, 2001, at 08:23 PM, Tony Rall wrote:

>
> On Thursday, 2001/09/13 at 21:43 AST, "Steven M. Bellovin"
> <smb at research.att.com> wrote:
>> I repeat -- it doesn't do PAT.  Some "routers" -- they're really no
>> such thing, of course; they're NAT boxes and/or bridges -- allow one
>> host behind them to speak IPsec.  If a host emits a packet using ESP,
>> it's tagged as *the* IPsec user; return IPsec packets are routed to
>> that host.  (Some of these boxes may use manual configuration instead
>> or in addition.)  You can't have two IPsec hosts, because there's no
>> way to know which should receive incoming packets -- there's no
>> relationship between inbound and outbound SPIs.
>
> Actually you can have multiple IPSEC sessions hidden behind a NAT box 
> with
> a single public IP address - we've found several vendors' "routers" that
> can work in this environment.  I believe the key is that each tunnel 
> must
> be to distinct remote IP addresses.  All the NAT box has available to
> separate the traffic for the different tunnels (which use IP protocol 
> 50)
> is the address of the other end of the tunnel, but that is all it needs.
>
> Of course, many users would like to have multiple tunnels to the same
> partner.  I don't know how that is possible with current IPSEC 
> technology.
>
> Tony Rall
>



More information about the NANOG mailing list