Firewall Wizards mailing list archives
Re: NAT
From: "Ryan Russell" <ryanr () sybase com>
Date: Wed, 17 Jun 1998 09:53:22 -0700
Your first paragraph clears it up, thanks. If the IPSec happens after NAT, it makes perfect sense. When one wants to use NAT with IPSec, then the device doing NAT would have to participate in the IPSec connection. That would imply that one couldn't get an IPSec connection through a box that did NAT/proxy when that box didn't participate in the connection. I think that's going to be a major problem for IPSec based VPN soultions. Ryan On Sidewinder, at least, the NAT activity is irrelevant to IPSEC behavior. When leaving the internal (address translated) network, the addresses are swapped before packets are handed to IPSEC for crypto processing. Encrypted packets from the outside world are decrypted and then each packet's IP address gets changed before being dropped on the internal LAN. The same security association is used for all NATed traffic between a pair of IPSEC gateways.
Current thread:
- NAT Appel, John (Jun 11)
- <Possible follow-ups>
- RE: NAT Burden, James (Jun 12)
- Re: NAT Tina Bird (Jun 13)
- Re: NAT Ryan Russell (Jun 15)
- Re: NAT Rick Smith (Jun 17)
- RE: NAT Burden, James (Jun 16)
- Re: NAT Tina Bird (Jun 17)
- Re: NAT Ryan Russell (Jun 17)
- Re: NAT Rick Smith (Jun 17)
- Re: NAT Ryan Russell (Jun 17)
- Re: NAT Ryan Russell (Jun 17)