Siteto Site Considerations

In a traditional site-to-site network, each IPsec gateway usually requires a publicly routable IP address. negotiation between the two IPsec peers occurs over the public Internet. With RFC 1918 addresses on t gateway and routable addresses on the outside of the gateway, tunnel mode allows the 1918 addresses Internet to your remote sites without modification. This is a typical site-to-site design and is shown in Fi

Figure 10-16. Typical RFC 1918 IPsec

[View full size image]

Figure 10-16. Typical RFC 1918 IPsec

[View full size image]

Tuiioe1 Mode PSK,
MP SnC.-68.1.1.1 |pgTȎ9-1.1.1

EÊP.lPSnc lO.l26l.SO rrp

DUID

ESP Trailer

E5P rtuIJi

Because AH signs the entire packet (Figure 10-3), it is impossible to use with NAT. Because the outer IF signed, ESP (Figure 10-4) can be used with NAT but only in one-to-one translations.

One-to-one translation means an IPsec gateway has a statically defined routable address that is used oi and does not come from a common pool. In this scenario, and when using ESP, NAT can work between In Figure 10-16, if there were a NAT device (or two) between the IPsec gateways, the outer IP header c that NAT device and still allow IPsec to function properly. This works only if the IP address is not used ir IKE authentication. This means you need digital certificates. Different vendors have workarounds for the translation requirement for ESP, and this is an area of active development in the IETF.

100 SEO Tips

100 SEO Tips

100 SEO Tips EVERY SEO Enthusiast Should Know. This Report 100 SEO Tips will help you to Utilize These Tips to Dominate The Search Engine Today.

Get My Free Ebook


Post a comment