[42193] in North American Network Operators' Group
Re: IPSEC and PAT
daemon@ATHENA.MIT.EDU (Bora Akyol)
Thu Sep 13 23:31:58 2001
Message-ID: <3BA11E890000B77C@mail.san.yahoo.com> (added by postmaster@mail.san.yahoo.com)
Date: Thu, 13 Sep 2001 20:30:40 -0700
From: Bora Akyol <akyol@akyol.org>
Content-Type: text/plain;
format=flowed;
charset=us-ascii
Cc: nanog@merit.edu
To: "Tony Rall" <trall@almaden.ibm.com>
In-Reply-To: <OF4AB502CE.E8BAAB81-ON88256AC7.0011ADEE@almaden.ibm.com>
Mime-Version: 1.0 (Apple Message framework v388)
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
I believe that at least one VPN client also does UDP encapsulation for
IPSEC packets specifically for NAT traversal.
Bora
On Thursday, September 13, 2001, at 08:23 PM, Tony Rall wrote:
>
> On Thursday, 2001/09/13 at 21:43 AST, "Steven M. Bellovin"
> <smb@research.att.com> wrote:
>> I repeat -- it doesn't do PAT. Some "routers" -- they're really no
>> such thing, of course; they're NAT boxes and/or bridges -- allow one
>> host behind them to speak IPsec. If a host emits a packet using ESP,
>> it's tagged as *the* IPsec user; return IPsec packets are routed to
>> that host. (Some of these boxes may use manual configuration instead
>> or in addition.) You can't have two IPsec hosts, because there's no
>> way to know which should receive incoming packets -- there's no
>> relationship between inbound and outbound SPIs.
>
> Actually you can have multiple IPSEC sessions hidden behind a NAT box
> with
> a single public IP address - we've found several vendors' "routers" that
> can work in this environment. I believe the key is that each tunnel
> must
> be to distinct remote IP addresses. All the NAT box has available to
> separate the traffic for the different tunnels (which use IP protocol
> 50)
> is the address of the other end of the tunnel, but that is all it needs.
>
> Of course, many users would like to have multiple tunnels to the same
> partner. I don't know how that is possible with current IPSEC
> technology.
>
> Tony Rall
>
