1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

NAT and IPSec

Discussion in 'Networks' started by tripwire45, Nov 15, 2003.

  1. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    I just read that, if you use an end-to end connection such as IPSec between a remote computer and a computer at work and your work network uses private IP addressing and NAT, that both computers will need to be configured with addresses that are internet routable. This is because the the addressing cannot undergo translation. Is this true? Isn't there a way to use private addressing in an internal network and still use a point-to-point connection? Forgive the ignorance. Studying makes me ask these questions.
    Certifications: A+ and Network+
  2. dreec

    dreec Nibble Poster

    Basically what you have said above is true. If you use IPSec then NAT cannot translate the headers, although I am pretty sure I was reading an RFC the other day which should overcome this problem. But back to the topic. It is still possible to use the encryption of IPSec and still use NAT.

    As mentioned because IPSec (actually Authenticated Headers AH) protects the header from modification NAT translation is not possible. If you used ESP (Encapsulating Security Payload), on its own then ONLY the data is encrypted and the header is left as is. The ESP header is added to the frame after the Layer 4 header but prior to the Layer 3 header
    This allows end-to-end encryption of the data, rather than point-to-point, but still allows the headers to be translated.

    To configure this select PPTP with ESP as the tunnelling protocol.

    Things change slighlty when ESP is configured in tunnel mode.
    The ESP header is added after the original IP header is encrypted but a new IP header is added AFTER the encryption, which allows for NAT.
    When the data reaches the RAS Server the new header is discarded, the ESP header is decrypted and the original IP header is used to route the packet to its destination on the LAN.

    Oh just one more thing which also makes the above a little more interesting, because you have not used L2TP to tunnel, there is no need to have a CA to issue or verify certificates, just let Kerberos do its thing.

    Hope this helps
    Certifications: To many to list here, to few to matter
    WIP: None
  3. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    Well, you did ask, Trip :eek:

    Seriously, nice answer, dreec - thanks for that info. What does IP stand for, by the way ?

    Certifications: MCP, A+, Network+
    WIP: Clarity

Share This Page