01-02-2002 06:51 AM - edited 02-20-2020 09:56 PM
I have a network provided by CBeyond (http://www.cbeyond.com). Basically its data over voice (6 lines) and relatively high speed. They run NAT. Authenication on that network can not occur with the Nortel Ethernet Access Client. CBeyond's technical rational to why this wont work is (their words) Upon further investigation of this issue, we have determined that NAT and IPSec cannot work together. The reason:
The IPSec Authentication Header (AH) runs the entire IP packet, including invariant header fields such as source and destination IP address, through a
message digest algorithm to produce a keyed hash. This hash is used by the recipient to authenticate the packer. If any field in the original IP packet is modified, authentication will fail and the recipient will discard the packet. AH is intended to prevent unauthorized modification, source spoofing, and man in the middle attacks. But NAT, by definition modifies IP packets. Therefore, AH + NAT simply cannot work. The only solution we find for this scenario at this time is for the customer to request a Public IP address for the workstation in question. Note that both end points must have public IP addresses for this to work. Now I understand how IPSec works, but I believe that the CISCO ID 2400 series router can be configured to allow IPSec with DHCP and not have a public IP address on the client side (one is id'd for the gateway side). Can anyone help as it seems CBeyond can't. bectc@yahoo.com.
01-02-2002 07:22 AM
Just to be clear its a Cisco IAD 2421. http://www.cisco.com/univercd/cc/td/doc/product/access/iad/iad2420/
02-01-2002 11:26 AM
Hello,
NAT + IPSEC with AH won't work.
But NAT + IPSEC without AH do work very well
SR
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide