Block all servers?
Crist Clark
crist.clark at globalstar.com
Tue Oct 14 20:08:21 UTC 2003
Kee Hinckley wrote:
>
> At 6:30 PM +0200 10/14/03, Stefan Mink wrote:
> >On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote:
> >> > I use IPSEC and it works fine behind NAT.
> >>
> >> Yes, it does work, on a small scale. However what if your neighbor
> >> wants to IPSEC to the same place (say you work at the same place).
> >> If both of you are NAT'd from the same IP address trying to IPSEC
> >> to the same IP address? I don't believe things will work in this
> >> instance.
> >
> >why not? We use it here, works fine (with certificates for auth).
>
> From what I've seen it depends on whether the NAT has specific
> support for IPSEC, and if that support includes support for multiple
> clients. The NAT box has to keep track of the mapping. I've seen
> NATs priced based on how many VPN clients they support at a time.
>
> See http://www.dslreports.com/faq/4638
Quoting from that,
Some routers permit multiple IPSec connections through NAT by uniquely
identifying tunnels via the pair of SPI numbers snagged from an IKE
exchange. These identifying numbers are stored in IPSec NAT table entries
to allow correct routing of inbound ESP traffic.
Last time I looked, the SPIs are exchanged in an encrypted payload in
IKE. Am I mistaken? The router would have to mount a successful MIM
attack to do this.
--
Crist J. Clark crist.clark at globalstar.com
Globalstar Communications (408) 933-4387
More information about the NANOG
mailing list