Wednesday, 14 March 2012

NAT Before IPSec VPN

NAT Before IPSec
When two sites are connected via IPSec if any of the network address ranges at each site overlap, the tunnel will not establish.
This occurs because it is not possible for the VPN termination devices to determine the site to which to forward the packets.
Utilizing NAT before IPSec overcomes this restriction by translating one set of the overlapping networks into a unique
network address range that will not interfere with the IPSec tunnel establishment. This is the only scenario where theCisco Systems
 
 
application of NAT is recommended. Be aware however that some protocols embed IP addresses in packet data segments.
In general, when address translation occurs, make sure that a protocol-aware device carries out the address translation, not
only in the IP header but also in the data segment of the packet. If the packet was not correctly address translated before it
entered the tunnel due to embedded IP addresses, when the packet exits the tunnel the remote application will not receive
the correct IP address embedded in the data segment. In this case, it is likely that the application will fail to function properly.
Many remote-access VPN clients today support the ability to use a virtual address assigned by the headend terminating VPN
device. Devices at the remote site may connect to the remote access client using this virtual address. This is actually carried
out by one-to-one address translating all packets traversing the tunnel. If the VPN client does not address translate packets
correctly or a new application arrives that is not yet supported, the application may fail to function.
In summary, use address ranges at your sites and remote access VPN client virtual address pools that do not overlap with the
addresses of other devices you will connect via IPSec.  If this is not possible, use NAT only in this scenario to allow for
connectivity. Don't address hide the public peer addresses of the VPN devices as this provides no real security value-add and
may cause connectivity problems. When you believe that NAT is involved and a remote-access client is not able to
successfully establish a tunnel or send packets over an established tunnel, consider enabling the NAT transparency mode.
Finally, be aware that the NAT transparency mode will not resolve the connection problems associated with client
applications that are not NAT friendly.
Posted by at

No comments:

Post a Comment

Note: only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)