Re: Questions (Rants?) About IPSEC

From: James F. Hranicky (jfh@cise.ufl.edu)
Date: 02/07/02


To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Date: Thu, 07 Feb 2002 17:18:23 -0500
From: "James F. Hranicky" <jfh@cise.ufl.edu>

Garrett Wollman <wollman@khavrinen.lcs.mit.edu> wrote:
>
> > - IPSEC routers have to basically be the border router for
> > a site, as there is no post-decryption NAT protocol to
> > get packets back to a router on the inside of the network
> > (Apparently, Cisco VPN boxes have this capability, but
> > it's an add-on to IPSEC AFAICT).
>
> IPSEC is designed to thwart processes which corrupt packet headers
> (including NAT).

In my scenario, NAT would occur after decryption, allowing IPSEC routers
to be placed at arbitrary points in the internal net. As I understand it,
CISCO's VPN box does just that.

Thanks for your input.

Jim

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: Questions (Rants?) About IPSEC
    ... In my scenario, NAT would occur after decryption, allowing IPSEC routers ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: AD & NAT
    ... scenario outlined above is most common though and should be able to be ... We cant avoid this NAT. ... The real IP at the three datacentre for DCs is 10.x.x.x. ... The client desktops at all locations would be having ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD & NAT
    ... We cant avoid this NAT. ... The real IP at the three datacentre for DCs is 10.x.x.x. ... The client desktops at all locations would be having ... We would like to know how can we proceed in such a scenario or what are the ...
    (microsoft.public.windows.server.active_directory)
  • Re: PPTP and NAT
    ... The "second" NAT is occuring on the *decapsulated* traffic ... after it is no longer part of the VPN Session. ... > Here is the scenario: ... > I want to be able to NAT PPTP from one internal net to another after it ...
    (microsoft.public.windows.server.networking)
  • Re: PPTP and NAT
    ... PPTP doesn't have any problem with this. ... with NAT -- but even that has been solved with NAT-T. ... > Here is the scenario: ... > I want to be able to NAT PPTP from one internal net to another after it ...
    (microsoft.public.windows.server.networking)