spacer TechWeb
spacer
Planet IT
Search
Planet IT
Other IT Web Sites
 

 Visit


 Browse Planet IT
  Desktop
  E-Business
  Enterprise Apps
    & Systems
  Management Issues
  Mobile & Wireless
  Networks
  Security

 Members Only
  Ask The Experts
  Roundtables

 Public Pages
  Opinions
  Newsletters
  News
  Q&A
  Product Reviews
  Technology Features
  Trends Features

 Help
  Planet IT Tour
  Contact Us
  Forgot Your Password?
  Forgot Your User Name?
  Join Planet IT
  Member Log-In

 Fine Print
  Partners
  Privacy Statement
  Who We Are



TechWeb Sites
  Byte.com
  CMPmetrics
  eBusiness Expo
  File Mine
  InformationWeek
  InternetWeek
  Network Computing
  PC Expo
  TechCalendar
  TechEncyclopedia
  TechLearning
  TechShopper
  TechWeb News
  TechWeb Today
  Wall Street &
    Technology
  Winmag.com


spacer
spacer
spacer
spacer
spacer spacer spacer spacer
spacer
Home : Security : Firewalls : Technology Feature
spacer
Why Can't IPsec and NAT Just Get Along?
PAGE 5 OF 7

This method is employed by vendors such as D-Link Systems, Linksys and Macsense Connectivity. You can expect to spend between $100 and $200 for an SME NAPT router.

Any IPsec packets that come into the NAPT device are forwarded by default to the designated host. This is accomplished because the client starts the negotiation by sending data to the other end on Port 500. That process signals the NAPT device to send all IPsec data back. Both ESP and AH are IP protocols and are assigned protocol Nos. 50 and 51, respectively. While not the most robust implementation, it does work for single installations. But what happens in the case where there are multiple workstations wanting to use IPsec?

In that case, you should get a product like Nexland's ISB2LAN or Asante Technologies' FriendlyNet 10/100 cable/DSL router, which supports multiple IPsec clients behind a NAPT device. These more robust products run between $150 and $250, depending on the features.

To get NAPT to work, we have to rely on the uniqueness of the source port number to translate between the private and public networks. Thus, we can negotiate IKE without any special process because IKE is a UDP protocol using Port 500.

To pass IPsec traffic between hosts, we need something equally unique, and we find that in our friend the SPI. Remember, each IPsec SA is identified by the SPI, the destination IP address and the protocol number. When IKE is negotiated during VPN setup, the SPIs are being exchanged, and the NAPT device maps the pair of SPI numbers to the associated VPN endpoint behind the NAT (see "Translating IPsec").


Page:1 | 2 | 3 | 4 | 5 | 6 | 7
  Next Page: next page
Write an online comment and share your thoughts on this technology feature with other Planet IT members!

print print this article
email e-mail this article
discuss discuss this article
Related Links
Securing In Consolidating

Security Threats: Motives And Methods

Risk-Assessment Strategies

Emerging Technology: Create Order with a Strong Security Policy

Information Alarm



TechEncyclopedia

 Define an IT Term
spacer spacer
Desktop  
Desktop Systems, Linux,Windows 2000

E-Business
E-Commerce, New Economy, Web D&D

Enterprise Apps & Systems
Data Management, Enterprise Apps, Storage

Management Issues
Careers & Training, Executive Strategies,
Outsourcing/Services
Mobile & Wireless
Notebooks, PDAs & Handhelds, Wireless Nets and Devices

Networks
Advanced IP Services, Network & Systems Management, Network Systems

Security
Defensive Tools, Firewalls, Hostile Content
spacer


CMPnet spacer