IPsec over NAT
One of the biggest deployment blockers for IPsec is the presence of NAT (network address translation). IPsec authenticates computers; NAT hides them. So they are fundamentally at odds.
Three problems loomed over IPsec and NAT:
- AH integrity violation
- IPsec "helpers"
- IKE fragmentation
It's now possible to deploy L2TP+IPsec VPNs even if NAT is present on Windows 2003 Servers. UDP-ESP combined with NAT-T is used.
Notes are taken from Protect Your Windows Network : From Perimeter to Data by Jesper M. Johansson, Steve Riley.
0 Comments:
Post a Comment
<< Home