IPSec Passthru

skeever · ‎11-13-2000

I have been hearing a lot about how to technically make NAT work with IPSec in tunnel mode. We have several different types of VPN servers here at WorldCom and I was wondering if the NAPT built into IOS was going to be outfitted to handle the translation of IPSec? I know that there is a methodology out there that uses different fields in the IPSec header to track translation and would REALLY like to see it implemented in the home office routers like the 800 series.

Thanks

wdrootz · ‎11-29-2000

Let me see if I can help you out with this. From what I understand NAPT can only be used for port specific IP protocols such as TCP or UDP. IP protocols used for VPN tunneling aren’t port specific and they require their own IP address. By having their own address they provide TCP and UDP while offering VPN protocol support simultaneously. You might want to check with your Cisco rep but I haven’t seen this with any competing products either, likely for these reasons.

Hope this helps!

fdrewes · ‎03-13-2001

I have a similar need. There is a product from Linksys that can pass IPSec traffic from my NAT'ed address to the VPN server and it works fine. I can even have multiple inside IPSec sessions through a single real address. This is a $100 box. I'd like to see this functionality on our PIX firewalls. If a $100 box can do this, my big, expensive firewall should be able to do the same.

aameer · ‎05-24-2001

Well, the IETF IPSec working-group has not yet come out with a standard for IPSec over NAT as yet. Cisco has a workaround for IPSec to work when the devices are behind a firewall that does NAT translation (NAT overload) which causes IPSec packets that use ESP and AH protocol combinations to drop packets. This is known as IPSec over UDP and the packet integrity and authenticity are left intact and therefore IPSec works over NAT! This explanation can get as long as you want so let me know if you need further details.

Cheers!