I have a network provided by CBeyond (http://www.cbeyond.com). Basically its data over voice (6 lines) and relatively high speed. They run NAT. Authenication on that network can not occur with the Nortel Ethernet Access Client. CBeyond's technical rational to why this wont work is (their words) Upon further investigation of this issue, we have determined that NAT and IPSec cannot work together. The reason:
The IPSec Authentication Header (AH) runs the entire IP packet, including invariant header fields such as source and destination IP address, through a
message digest algorithm to produce a keyed hash. This hash is used by the recipient to authenticate the packer. If any field in the original IP packet is modified, authentication will fail and the recipient will discard the packet. AH is intended to prevent unauthorized modification, source spoofing, and man in the middle attacks. But NAT, by definition modifies IP packets. Therefore, AH + NAT simply cannot work. The only solution we find for this scenario at this time is for the customer to request a Public IP address for the workstation in question. Note that both end points must have public IP addresses for this to work. Now I understand how IPSec works, but I believe that the CISCO ID 2400 series router can be configured to allow IPSec with DHCP and not have a public IP address on the client side (one is id'd for the gateway side). Can anyone help as it seems CBeyond can't. email@example.com.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...