On Thursday, 2001/09/13 at 21:43 AST, "Steven M. Bellovin" <smb@research.att.com> wrote:
I repeat -- it doesn't do PAT. Some "routers" -- they're really no such thing, of course; they're NAT boxes and/or bridges -- allow one host behind them to speak IPsec. If a host emits a packet using ESP, it's tagged as *the* IPsec user; return IPsec packets are routed to that host. (Some of these boxes may use manual configuration instead or in addition.) You can't have two IPsec hosts, because there's no way to know which should receive incoming packets -- there's no relationship between inbound and outbound SPIs.
Actually you can have multiple IPSEC sessions hidden behind a NAT box with a single public IP address - we've found several vendors' "routers" that can work in this environment. I believe the key is that each tunnel must be to distinct remote IP addresses. All the NAT box has available to separate the traffic for the different tunnels (which use IP protocol 50) is the address of the other end of the tunnel, but that is all it needs. Of course, many users would like to have multiple tunnels to the same partner. I don't know how that is possible with current IPSEC technology. Tony Rall
I believe that at least one VPN client also does UDP encapsulation for IPSEC packets specifically for NAT traversal. Bora On Thursday, September 13, 2001, at 08:23 PM, Tony Rall wrote:
On Thursday, 2001/09/13 at 21:43 AST, "Steven M. Bellovin" <smb@research.att.com> wrote:
I repeat -- it doesn't do PAT. Some "routers" -- they're really no such thing, of course; they're NAT boxes and/or bridges -- allow one host behind them to speak IPsec. If a host emits a packet using ESP, it's tagged as *the* IPsec user; return IPsec packets are routed to that host. (Some of these boxes may use manual configuration instead or in addition.) You can't have two IPsec hosts, because there's no way to know which should receive incoming packets -- there's no relationship between inbound and outbound SPIs.
Actually you can have multiple IPSEC sessions hidden behind a NAT box with a single public IP address - we've found several vendors' "routers" that can work in this environment. I believe the key is that each tunnel must be to distinct remote IP addresses. All the NAT box has available to separate the traffic for the different tunnels (which use IP protocol 50) is the address of the other end of the tunnel, but that is all it needs.
Of course, many users would like to have multiple tunnels to the same partner. I don't know how that is possible with current IPSEC technology.
Tony Rall
Cisco 5000 series VPN concentrators support a "NAT Transparency mode" which causes the IPsec packets to be wrapped in UDP and TCP traffic to port 80 at the concentrator. And this method certainly does support multiple IPsec tunnels from multiple clients, going to a single concentrator, all from a single public IP. Chris At 08:30 PM 9/13/2001 -0700, you wrote:
I believe that at least one VPN client also does UDP encapsulation for IPSEC packets specifically for NAT traversal.
Bora
On Thursday, September 13, 2001, at 08:23 PM, Tony Rall wrote:
On Thursday, 2001/09/13 at 21:43 AST, "Steven M. Bellovin" <smb@research.att.com> wrote:
I repeat -- it doesn't do PAT. Some "routers" -- they're really no such thing, of course; they're NAT boxes and/or bridges -- allow one host behind them to speak IPsec. If a host emits a packet using ESP, it's tagged as *the* IPsec user; return IPsec packets are routed to that host. (Some of these boxes may use manual configuration instead or in addition.) You can't have two IPsec hosts, because there's no way to know which should receive incoming packets -- there's no relationship between inbound and outbound SPIs.
Actually you can have multiple IPSEC sessions hidden behind a NAT box with a single public IP address - we've found several vendors' "routers" that can work in this environment. I believe the key is that each tunnel must be to distinct remote IP addresses. All the NAT box has available to separate the traffic for the different tunnels (which use IP protocol 50) is the address of the other end of the tunnel, but that is all it needs.
Of course, many users would like to have multiple tunnels to the same partner. I don't know how that is possible with current IPSEC technology.
Tony Rall
On Thu, 13 Sep 2001, Bora Akyol wrote:
I believe that at least one VPN client also does UDP encapsulation for IPSEC packets specifically for NAT traversal.
Bora
The Cisco VPN client does UDP encapsulation. But of course, the "server" needs to support it as well. The PIX OS does not; the concentrators do.
participants (4)
-
Adam Herscher -
Bora Akyol -
Chris Grout -
Tony Rall