North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IPSEC and PAT
I believe that at least one VPN client also does UDP encapsulation for IPSEC packets specifically for NAT traversal. Bora On Thursday, September 13, 2001, at 08:23 PM, Tony Rall wrote: On Thursday, 2001/09/13 at 21:43 AST, "Steven M. Bellovin" <[email protected]> wrote:Actually you can have multiple IPSEC sessions hidden behind a NAT box withI repeat -- it doesn't do PAT. Some "routers" -- they're really no such thing, of course; they're NAT boxes and/or bridges -- allow one host behind them to speak IPsec. If a host emits a packet using ESP, it's tagged as *the* IPsec user; return IPsec packets are routed to that host. (Some of these boxes may use manual configuration instead or in addition.) You can't have two IPsec hosts, because there's no way to know which should receive incoming packets -- there's no relationship between inbound and outbound SPIs.
|