At 14:20 09/08/01, Matt Holdrege wrote:
Wrong! Most IETF'ers I know tunnel back to their home offices. I personally
use an IPsec/IKE implementation that doesn't care much for NAT.
If the remote ESP tunnel endpoint (and IKE KM endpoint) is on the
external interface of a box that is also performing NAT on the inside
interface, there just isn't a problem. Lots of the economical
gateway/firewall/encryptor widgets work this way. This approach
actually works quite well, particularly if one's employer has an
internal network using private address space.
This approach does mean that the mobile host has a different IP address
for the RED ESP network interface than for its BLACK physical network
interface. Laptops at IETF with ESP tunnels back to one's employer
date back at least to late 1995, when danmcd was doing it (complete
with automated session key change every 24 hours), though he wasn't
using NAT (employer had lots of globally routable IP addresses).
Mind, the original designer of ESP/AH erroneously thought that
ESP/AH would mainly be used to provide end-to-end security,
rather than gateway-to-gateway security (which is how it has
played out).
Cheers,
Ran
rja(_at_)inet(_dot_)org