System Administration Guide: IP Services
Previous Next

Document Information

Preface

Part I TCP/IP Administration

1.  Solaris TCPIP Protocol Suite (Overview)

2.  Planning an IPv4 Addressing Scheme (Tasks

3.  Planning an IPv6 Addressing Scheme (Overview)

4.  Planning an IPv6 Network (Tasks)

5.  Configuring TCP/IP Network Services and IPv4 Addressing (Tasks)

6.  Administering Network Interfaces (Tasks)

7.  Enabling IPv6 on a Network (Tasks)

8.  Administering a TCP/IP Network (Tasks)

9.  Troubleshooting Network Problems (Tasks)

10.  TCP/IP and IPv4 in Depth (Reference)

11.  IPv6 in Depth (Reference)

Part II DHCP

12.  About Solaris DHCP (Overview)

13.  Planning for DHCP Service (Tasks)

14.  Configuring the DHCP Service (Tasks)

15.  Administering DHCP (Tasks)

16.  Configuring and Administering DHCP Clients

17.  Troubleshooting DHCP (Reference)

18.  DHCP Commands and Files (Reference)

Part III IP Security

19.  IP Security Architecture (Overview)

What's New in IPsec?

Introduction to IPsec

IPsec Packet Flow

IPsec Security Associations

IPsec Protection Mechanisms

IPsec Protection Policies

Transport and Tunnel Modes in IPsec

Virtual Private Networks and IPsec

IPsec and NAT Traversal

IPsec and SCTP

IPsec and Solaris Zones

IPsec Utilities and Files

Changes to IPsec for the Solaris 10 Release

20.  Configuring IPsec (Tasks)

21.  IP Security Architecture (Reference)

22.  Internet Key Exchange (Overview)

23.  Configuring IKE (Tasks)

24.  Internet Key Exchange (Reference)

25.  Solaris IP Filter (Overview)

26.  Solaris IP Filter (Tasks)

Part IV Mobile IP

27.  Mobile IP (Overview)

28.  Administering Mobile IP (Tasks)

29.  Mobile IP Files and Commands (Reference)

Part V IPMP

30.  Introducing IPMP (Overview)

31.  Administering IPMP (Tasks)

Part VI IP Quality of Service (IPQoS)

32.  Introducing IPQoS (Overview)

33.  Planning for an IPQoS-Enabled Network (Tasks)

34.  Creating the IPQoS Configuration File (Tasks)

35.  Starting and Maintaining IPQoS (Tasks)

36.  Using Flow Accounting and Statistics Gathering (Tasks)

37.  IPQoS in Detail (Reference)

Glossary

Index

IPsec and NAT Traversal

IKE can negotiate IPsec SAs across a NAT box. This ability enables systems to securely connect from a remote network, even when the systems are behind a NAT device. For example, employees who work from home, or who log on from a conference site can protect their traffic with IPsec.

NAT stands for network address translation. A NAT box is used to translate a private internal address into a unique Internet address. NATs are very common at public access points to the Internet, such as hotels. For a fuller discussion, see Using Solaris IP Filter's NAT Feature.

The ability to use IKE when a NAT box is between communicating systems is called NAT traversal, or NAT-T. In the Solaris 10 release, NAT-T has the following limitations:

  • NAT-T works on IPv4 networks only.

  • NAT-T cannot take advantage of the IPsec ESP acceleration provided by the Sun Crypto Accelerator 4000 board. However, IKE acceleration with the Sun Crypto Accelerator 4000 board works.

  • The AH protocol depends on an unchanging IP header, therefore AH cannot work with NAT-T. The ESP protocol is used with NAT-T.

  • The NAT box does not use special processing rules. A NAT box with special IPsec processing rules might interfere with the implementation of NAT-T.

  • NAT-T works only when the IKE initiator is the system behind the NAT box. An IKE responder cannot be behind a NAT box unless the box has been programmed to forward IKE packets to the appropriate individual system behind the box.

The following RFCs describe NAT functionality and the limits of NAT-T. Copies of the RFCs can be retrieved from http://www.rfc-editor.org.

  • RFC 3022, “Traditional IP Network Address Translator (Traditional NAT),” January 2001

  • RFC 3715, “IPsec-Network Address Translation (NAT) Compatibility Requirements,” March 2004

  • RFC 3947, “Negotiation of NAT-Traversal in the IKE,” January 2005

  • RFC 3948, “UDP Encapsulation of IPsec Packets,” January 2005

To use IPsec across a NAT, see Configuring IKE for Mobile Systems (Task Map).
Previous Next