If a network employs NAT and IPsec, which combination is likely to cause connectivity problems?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

Multiple Choice

If a network employs NAT and IPsec, which combination is likely to cause connectivity problems?

Explanation:
NAT can break IPsec because NAT changes the IP header and, in some cases, the port numbers as packets cross the network, while IPsec relies on those headers being unaltered to verify and secure the communication. Specifically, AH protects the IP header, so any modification by NAT causes the integrity check to fail and the packet to be dropped. ESP encrypts the payload, but the outer IPsec tunnel header can still be distorted by NAT, preventing the tunnel from being established correctly. NAT traversal (NAT-T) solves this by encapsulating IPsec in UDP, allowing NAT devices to modify only UDP ports without breaking the IPsec integrity, which is why NAT without NAT-T tends to produce connectivity problems. The other statements aren’t generally true in practice: IPsec can work behind packet filters if the necessary protocols and ports are allowed, and stateful firewalls can cooperate with IPsec as long as they’re configured properly.

NAT can break IPsec because NAT changes the IP header and, in some cases, the port numbers as packets cross the network, while IPsec relies on those headers being unaltered to verify and secure the communication. Specifically, AH protects the IP header, so any modification by NAT causes the integrity check to fail and the packet to be dropped. ESP encrypts the payload, but the outer IPsec tunnel header can still be distorted by NAT, preventing the tunnel from being established correctly. NAT traversal (NAT-T) solves this by encapsulating IPsec in UDP, allowing NAT devices to modify only UDP ports without breaking the IPsec integrity, which is why NAT without NAT-T tends to produce connectivity problems. The other statements aren’t generally true in practice: IPsec can work behind packet filters if the necessary protocols and ports are allowed, and stateful firewalls can cooperate with IPsec as long as they’re configured properly.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy