Re: (ASCEND)IPSEC over NAT for Pipe75

To: Ascend Mailing List <ascend-users@bungi.com>
Subject: Re: (ASCEND)IPSEC over NAT for Pipe75
From: Thomas Falk Claezon <falk@uab.ericsson.se>
Date: Fri, 20 Aug 1999 13:13:00 +0200
In-Reply-To: <H000067920896a21@MHS>; from Edwin_Everett@cargill.com on Thu, Aug 19, 1999 at 05:52:23PM -0500
References: <H000067920896a21@MHS>
Sender: owner-ascend-users@max.bungi.com

Hi

On 19 August 1999, Edwin_Everett@cargill.com <Edwin_Everett@cargill.com> wrote:
> Does anyone have any information on IPSEC over a NAT'ed IP to the ISP 
> for VPN?
> (gawd, look at all those acronyms in one sentence!)
> 
> I was told there's a problem with this...can anyone confirm?

Yes there is.

I will try to explain why, but there is other more knowledgable people
(Matt Holdrege and others...?) on this list.

IPSEC's job is to make packets unintelligible and unalterable, and NAT 
relies on being able to understand packets and make helpful modifications 
to them en route. Because of this IPSEC an NAT doesn't coexist very well.

However, if I have got it right, there are circumstances when you can use
IPSEC ESP over NAT (but currently not when using a Pipe75 and single
IP NAT), IPSEC AH can not be used over a NATed connection.

P75 using single IP NAT acctually "mostly" do PAT (Port Address Translation).
This is a problem because IPSEC doesn't use any ports for ESP (Encapsulated
Security Payload, IP protocol 50) and AH (Authentication Header, IP 
protocol 51), only the key exchange via IKE use UDP port 500.

What Ascend probably could do to allow IPSEC ESP in single IP NAT
=================================================================

Ascend have recently (b2.p75-7.3.0) added a "Tunnel Server" option in 
the NAT configuration. This is for GRE (General Routing Encapsulation, 
protocol 47) based tunnels such as PPTP and ATMP.

To me this solution could easily(?) be used to allow *one* IPSEC 
workstation behind a P75 configured for single IP NAT, by adding similar 
support for the ESP protocol.

To allow more than one IPSEC workstation behind a P75 using single IP NAT,
it would be required by the P75 to understand IPSEC SPIs (Security 
Parameters Index).  Very few ISDN SOHO routers claim to do this, but
I have read in some newsgroup that Nortel has it in theirs..

Another solution for *one* workstation access would be that the NAT
"Default Server" option actually worked as stated in the manual. That 
*all* traffic that are NOT redirected in the "Static Mappings" should go 
to the "Default Server" (this would remove the current need for many 
static mappings to the defult server too, like port 6000 for X11, port 22 
for SSH etc). 
Last time I checked this, only traffic to a limited number of well know 
TCP/UDP ports did get trough to the default server (and "portless" 
protocols is of course not handled at all).

> 
> edwin_everett@cargill.com
> 
> ++ Ascend Users Mailing List ++
> To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
> To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Regards Thomas
-- 
 Thomas Falk Claezon             ERICSSON, AXE Research and Development
 Phone:   +46 8  727 34 12       Box 1505
 Mobile:  +46 70 536 31 01       S-125 25 ALVSJO
 Fax:     +46 8  647 82 76       SWEDEN
 Email:   falk@uab.ericsson.se

 URL:             http://www.elfi.org/~falk/
 PGP Public Key:  http://www.elfi.org/~falk/PGP.html
 PGP Fingerprint: 0E 0F 39 7C 1D C4 7E 2C  66 DB 20 49 9B DB BB 56
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Follow-Ups:
- Re: (ASCEND)IPSEC over NAT for Pipe75
  - From: Matt Holdrege <matt@ascend.com>

References:
- (ASCEND)IPSEC over NAT for Pipe75
  - From: Edwin_Everett@cargill.com
- (ASCEND)IPSEC over NAT for Pipe75
  - From: Edwin_Everett@cargill.com

Prev by Date: RE: (ASCEND)IPSEC over NAT for Pipe75
Next by Date: RE: (ASCEND) multishelf TNT
Prev by thread: RE: (ASCEND)IPSEC over NAT for Pipe75
Next by thread: Re: (ASCEND)IPSEC over NAT for Pipe75
Index(es):
- Date
- Thread