spacer TechWeb
spacer
Planet IT
Search
Planet IT
Other IT Web Sites
 

 Visit


 Browse Planet IT
  Desktop
  E-Business
  Enterprise Apps
    & Systems
  Management Issues
  Mobile & Wireless
  Networks
  Security

 Members Only
  Ask The Experts
  Roundtables

 Public Pages
  Opinions
  Newsletters
  News
  Q&A
  Product Reviews
  Technology Features
  Trends Features

 Help
  Planet IT Tour
  Contact Us
  Forgot Your Password?
  Forgot Your User Name?
  Join Planet IT
  Member Log-In

 Fine Print
  Partners
  Privacy Statement
  Who We Are



TechWeb Sites
  Byte.com
  CMPmetrics
  eBusiness Expo
  File Mine
  InformationWeek
  InternetWeek
  Network Computing
  PC Expo
  TechCalendar
  TechEncyclopedia
  TechLearning
  TechShopper
  TechWeb News
  TechWeb Today
  Wall Street &
    Technology
  Winmag.com


spacer
spacer
spacer
spacer
spacer spacer spacer spacer
spacer
Home : Security : Firewalls : Technology Feature
spacer
Why Can't IPsec and NAT Just Get Along?
PAGE 3 OF 7

IPsec VPNs exchange information through logical connections called SAs (Security Associations). An SA is simply a definition of the protocols, algorithms and key validity time period used by endpoints. Each IPsec VPN has two SAs -- one in each direction. SAs are identified by three identifiers. One of them is a unique number called the SPI (Security Parameter Index), which is assigned by destination to each SA. The other two identifiers are the destination address and the protocol. The uniqueness of the SPI is guaranteed because a destination endpoint may have a manually configured SPI defined that the originator would not know about.

Finally, the IKE (Internet Key Exchange) is a separate SA that is used to negotiate the other IPsec protocol parameters. IKE uses UDP Port 500 and as such can be passed through a NAT without any special handling, like any other TCP/UDP protocol. IKE is active during the entire lifetime of the lower-level SA.

Gimme the Good Stuff

Now here is where things get interesting. Let's look at some cases in which IPsec and NAT fail. NAT and AH IPsec will fail because,, by definition, NAT changes the IP addressing of the IP packet. Any change in the IP packet will be flagged as a violation by AH. Failure also occurs when there is a NAPT function between the two IPsec endpoints that doesn't know how to handle IPsec traffic.

Likewise, ESP IPsec and NAPT will fail, because in the case of transport mode, the port numbers are protected by ESP, and any change will be flagged as a violation.


Page:1 | 2 | 3 | 4 | 5 | 6 | 7
  Next Page: next page
Write an online comment and share your thoughts on this technology feature with other Planet IT members!

print print this article
email e-mail this article
discuss discuss this article
Related Links
Security Made Simple

Securing Your NetWare Environment

Securing In Consolidating

Locking Up DNS Troubles

VPN Service Models: Split Decisions



TechEncyclopedia

 Define an IT Term
spacer spacer
Desktop  
Desktop Systems, Linux,Windows 2000

E-Business
E-Commerce, New Economy, Web D&D

Enterprise Apps & Systems
Data Management, Enterprise Apps, Storage

Management Issues
Careers & Training, Executive Strategies,
Outsourcing/Services
Mobile & Wireless
Notebooks, PDAs & Handhelds, Wireless Nets and Devices

Networks
Advanced IP Services, Network & Systems Management, Network Systems

Security
Defensive Tools, Firewalls, Hostile Content
spacer


CMPnet spacer