[42192] in North American Network Operators' Group
Re: IPSEC and PAT
daemon@ATHENA.MIT.EDU (Tony Rall)
Thu Sep 13 23:27:40 2001
MIME-Version: 1.0
To: nanog@merit.edu
From: "Tony Rall" <trall@almaden.ibm.com>
Message-ID: <OF4AB502CE.E8BAAB81-ON88256AC7.0011ADEE@almaden.ibm.com>
Date: Thu, 13 Sep 2001 20:23:47 -0700
Content-Type: text/plain; charset="us-ascii"
Errors-To: owner-nanog-outgoing@merit.edu
On Thursday, 2001/09/13 at 21:43 AST, "Steven M. Bellovin"
<smb@research.att.com> wrote:
> I repeat -- it doesn't do PAT. Some "routers" -- they're really no
> such thing, of course; they're NAT boxes and/or bridges -- allow one
> host behind them to speak IPsec. If a host emits a packet using ESP,
> it's tagged as *the* IPsec user; return IPsec packets are routed to
> that host. (Some of these boxes may use manual configuration instead
> or in addition.) You can't have two IPsec hosts, because there's no
> way to know which should receive incoming packets -- there's no
> relationship between inbound and outbound SPIs.
Actually you can have multiple IPSEC sessions hidden behind a NAT box with
a single public IP address - we've found several vendors' "routers" that
can work in this environment. I believe the key is that each tunnel must
be to distinct remote IP addresses. All the NAT box has available to
separate the traffic for the different tunnels (which use IP protocol 50)
is the address of the other end of the tunnel, but that is all it needs.
Of course, many users would like to have multiple tunnels to the same
partner. I don't know how that is possible with current IPSEC technology.
Tony Rall
