Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 18 Oct 2002 22:58:22 -0700 (PDT)
From:      "Andrew P. Lentvorski" <bsder@mail.allcaps.org>
To:        "Crist J. Clark" <cjc@FreeBSD.ORG>
Cc:        Matthew Zahorik <matt@hottub.org>, <freebsd-net@FreeBSD.ORG>
Subject:   Re: IPSEC/NAT issues
Message-ID:  <20021018222132.P68535-100000@mail.allcaps.org>
In-Reply-To: <20021018182522.GC45449@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, 18 Oct 2002, Me, Myself, and I blathered:
> You cannot NAT an IPSEC packet.  NAT rewrites the IP headers and the
> packet will get rejected when it reaches the other IPSEC node.

I still stand by my original statement.  However, it won't be true for
much longer.  There is now a draft document (as of August 18, 2002) for
dealing with NAT traversal.

http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-02.txt

<quote>
a) Incompatibility between IPsec AH [RFC2402] and NAT. Since the AH header
   incorporates the IP source and destination addresses in the
   keyed message integrity check, NAT or reverse NAT devices making changes
   to address fields will invalidate the message integrity check.
   Since IPsec ESP [4] does not incorporate the IP source and
   destination addresses in its keyed message integrity check,
   this issue does not arise for ESP.

b) Incompatibility between checksums and NAT. TCP/UDP/SCTP
   checksums have a dependency on the IP source and destination
   addresses through inclusion of the "pseudo-header" in the
   calculation. As a result, where checksums are calculated and
   checked on receipt, they will be invalidated by passage through
   a NAT or reverse NAT device.

   As a result, IPsec ESP will only pass unimpeded through a NAT if
   TCP/UDP/SCTP protocols are not involved (as in IPsec tunnel
   mode or IPsec/GRE), or checksums are not calculated (as is
   possible with IPv4 UDP)
</quote>

-a


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021018222132.P68535-100000>