Sunday, July 24, 2005

IPsec over NAT

One of the biggest deployment blockers for IPsec is the presence of NAT (network address translation). IPsec authenticates computers; NAT hides them. So they are fundamentally at odds.

Three problems loomed over IPsec and NAT:
  • AH integrity violation
  • IPsec "helpers"
  • IKE fragmentation

It's now possible to deploy L2TP+IPsec VPNs even if NAT is present on Windows 2003 Servers. UDP-ESP combined with NAT-T is used.

Notes are taken from Protect Your Windows Network : From Perimeter to Data by Jesper M. Johansson, Steve Riley.


Post a Comment

<< Home