Kee Hinckley wrote:
At 6:30 PM +0200 10/14/03, Stefan Mink wrote:
On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote:
I use IPSEC and it works fine behind NAT.
Yes, it does work, on a small scale. However what if your neighbor wants to IPSEC to the same place (say you work at the same place). If both of you are NAT'd from the same IP address trying to IPSEC to the same IP address? I don't believe things will work in this instance.
why not? We use it here, works fine (with certificates for auth).
From what I've seen it depends on whether the NAT has specific support for IPSEC, and if that support includes support for multiple clients. The NAT box has to keep track of the mapping. I've seen NATs priced based on how many VPN clients they support at a time.
Quoting from that, Some routers permit multiple IPSec connections through NAT by uniquely identifying tunnels via the pair of SPI numbers snagged from an IKE exchange. These identifying numbers are stored in IPSec NAT table entries to allow correct routing of inbound ESP traffic. Last time I looked, the SPIs are exchanged in an encrypted payload in IKE. Am I mistaken? The router would have to mount a successful MIM attack to do this. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387