spacer TechWeb
spacer
Planet IT
Search
Planet IT
Other IT Web Sites
 

 Visit


 Browse Planet IT
  Desktop
  E-Business
  Enterprise Apps
    & Systems
  Management Issues
  Mobile & Wireless
  Networks
  Security

 Members Only
  Ask The Experts
  Roundtables

 Public Pages
  Opinions
  Newsletters
  News
  Q&A
  Product Reviews
  Technology Features
  Trends Features

 Help
  Planet IT Tour
  Contact Us
  Forgot Your Password?
  Forgot Your User Name?
  Join Planet IT
  Member Log-In

 Fine Print
  Partners
  Privacy Statement
  Who We Are



TechWeb Sites
  Byte.com
  CMPmetrics
  eBusiness Expo
  File Mine
  InformationWeek
  InternetWeek
  Network Computing
  PC Expo
  TechCalendar
  TechEncyclopedia
  TechLearning
  TechShopper
  TechWeb News
  TechWeb Today
  Wall Street &
    Technology
  Winmag.com


spacer
spacer
spacer
spacer
spacer spacer spacer spacer
spacer
Home : Security : Firewalls : Technology Feature
spacer
Why Can't IPsec and NAT Just Get Along?
PAGE 6 OF 7

The only SPI that needs to be mapped to an internal IP address is the incoming SPI selected by the IPsec client, because the NAPT device needs to know where to send inbound traffic. Outbound traffic is passed without a problem, because the IPsec client's IP address will be changed by the NAPT device.

There are some caveats, however. First, this scenario will work only when the IPsec client behind the NAPT device is initiating the IPsec VPN. If the IPsec gateway tries to initiate the connection, the NAPT device will block the negotiation, because it won't know where to send the UDP packets; it won't have a NAPT mapping. For the same reason, you cannot host a Web server behind a NAPT device without using port redirection, where all packets bound to a specific inbound port are by default sent to an internal IP address. Port redirection works only when preconfigured.

Second, for this to work, you will have to configure your IPsec gateway to negotiate IKE with the NAPT gateway at minimum or any IP address. ESP uses the SPI, destination IP address and protocol number to look up what SA an IPsec packet belongs to. Because the IPsec gateway knows the IPsec client only by the NAPT address, that is the address that will be used.

Finally, much of IKE authentication is still handled with a preshared secret, or password, which is associated with an IP address. Therefore, you have to tell the IPsec gateway to negotiate with the NAPT IP address. Because remote users often connect via dynamic IP addresses allocated from their ISPs, nearly all IPsec gateways can associate a shared secret with an address range.


Page:1 | 2 | 3 | 4 | 5 | 6 | 7
  Next Page: next page
Write an online comment and share your thoughts on this technology feature with other Planet IT members!

print print this article
email e-mail this article
discuss discuss this article
Related Links
Security Threats: Motives And Methods

Using Win2000's Foolproof Encryption

Securing Your NetWare Environment

Security Made Simple

Defcon Update: Does Your ASP Do Security?



TechEncyclopedia

 Define an IT Term
spacer spacer
Desktop  
Desktop Systems, Linux,Windows 2000

E-Business
E-Commerce, New Economy, Web D&D

Enterprise Apps & Systems
Data Management, Enterprise Apps, Storage

Management Issues
Careers & Training, Executive Strategies,
Outsourcing/Services
Mobile & Wireless
Notebooks, PDAs & Handhelds, Wireless Nets and Devices

Networks
Advanced IP Services, Network & Systems Management, Network Systems

Security
Defensive Tools, Firewalls, Hostile Content
spacer


CMPnet spacer