NAT and IPSec

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I just read that, if you use an end-to end connection such as IPSec between a remote computer and a computer at work and your work network uses private IP addressing and NAT, that both computers will need to be configured with addresses that are internet routable. This is because the the addressing cannot undergo translation. Is this true? Isn't there a way to use private addressing in an internal network and still use a point-to-point connection? Forgive the ignorance. Studying makes me ask these questions.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Basically what you have said above is true. If you use IPSec then NAT cannot translate the headers, although I am pretty sure I was reading an RFC the other day which should overcome this problem. But back to the topic. It is still possible to use the encryption of IPSec and still use NAT.

As mentioned because IPSec (actually Authenticated Headers AH) protects the header from modification NAT translation is not possible. If you used ESP (Encapsulating Security Payload), on its own then ONLY the data is encrypted and the header is left as is. The ESP header is added to the frame after the Layer 4 header but prior to the Layer 3 header
This allows end-to-end encryption of the data, rather than point-to-point, but still allows the headers to be translated.

To configure this select PPTP with ESP as the tunnelling protocol.

Things change slighlty when ESP is configured in tunnel mode.
The ESP header is added after the original IP header is encrypted but a new IP header is added AFTER the encryption, which allows for NAT.
When the data reaches the RAS Server the new header is discarded, the ESP header is decrypted and the original IP header is used to route the packet to its destination on the LAN.

Oh just one more thing which also makes the above a little more interesting, because you have not used L2TP to tunnel, there is no need to have a CA to issue or verify certificates, just let Kerberos do its thing.

Hope this helps

 

Well, you did ask, Trip

Seriously, nice answer, dreec - thanks for that info. What does IP stand for, by the way ?