North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Block all servers?
Kee Hinckley wrote: > > At 6:30 PM +0200 10/14/03, Stefan Mink wrote: > >On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote: > >> > I use IPSEC and it works fine behind NAT. > >> > >> Yes, it does work, on a small scale. However what if your neighbor > >> wants to IPSEC to the same place (say you work at the same place). > >> If both of you are NAT'd from the same IP address trying to IPSEC > >> to the same IP address? I don't believe things will work in this > >> instance. > > > >why not? We use it here, works fine (with certificates for auth). > > From what I've seen it depends on whether the NAT has specific > support for IPSEC, and if that support includes support for multiple > clients. The NAT box has to keep track of the mapping. I've seen > NATs priced based on how many VPN clients they support at a time. > > See http://www.dslreports.com/faq/4638 Quoting from that, Some routers permit multiple IPSec connections through NAT by uniquely identifying tunnels via the pair of SPI numbers snagged from an IKE exchange. These identifying numbers are stored in IPSec NAT table entries to allow correct routing of inbound ESP traffic. Last time I looked, the SPIs are exchanged in an encrypted payload in IKE. Am I mistaken? The router would have to mount a successful MIM attack to do this. -- Crist J. Clark email@example.com Globalstar Communications (408) 933-4387