Nat Transperancy
Yesterday, I was talking to Mohan about it. I read about this topic a couple of times but since I could not understand it clearly, leaft it at that.
If there is a NAT device between two IPSec end points, it will change the Source Address of the packet, which would fail the matching of Hash at the other end point. To avoid this kind of failure, we use Nat T. Nat T is configured on both ends to encapsulate the packet in a UDP packet with port number 4500. Nat device that is somewhere in between can change the source Address of this UDP packet only, but the original packet is intact, due to which Hash value will match at the remote end. This is Nat-T, simplified :-)
If there is a NAT device between two IPSec end points, it will change the Source Address of the packet, which would fail the matching of Hash at the other end point. To avoid this kind of failure, we use Nat T. Nat T is configured on both ends to encapsulate the packet in a UDP packet with port number 4500. Nat device that is somewhere in between can change the source Address of this UDP packet only, but the original packet is intact, due to which Hash value will match at the remote end. This is Nat-T, simplified :-)
posted by Ramchander at 9:50 PM
0 Comments:
Post a Comment
<< Home