Possible to pass IPSec through a NAT device

Posted on 2008-11-10
Medium Priority
Last Modified: 2012-05-05
We have an Cisco 1841 router with an external ip of 142.176.xxx.xxx.
Internally all our guests are given an IP via the 1841's built in DHCP server in the range.
A client wants to use a VPN with IPSec with an authenitcation header. Is it not possible because the 1841 is setup as a NAT device?
My understanding is the nat device (1841) changes the header info and because of this change the receiving VPN server discards the packet because it's been altered. Is this correct? Is there any way around it?
Question by:huntleyj
  • 2

Expert Comment

ID: 22922873
There is no way around your issue, using AH is impossible with NAT. The solution would be to use ESP with IPsec instead.
LVL 13

Expert Comment

ID: 22922944
NAT does not support VPN with IPsec.

I had the encounter once, the only solution I had was to tell the guest to use a dial up connection.

Not idea, but it was a work around.
Hope that helps!

Accepted Solution

Nothing_Changed earned 2000 total points
ID: 22923775
Using IPsec with ESP will work with NAT, even multiple NAT's, since the payload is what the security checksum is run against, not the headers. The checksum is the same regardless of the IP addresses involved when using ESP, that is a notably different than AH, and the primary reason that AH can't work with NAT.

Author Closing Comment

ID: 31515068
That is what I thought. just wanted confirmation.

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question