On Sunday, 10 June 2018 23:51:42 BST Grant Taylor wrote: > On 06/10/2018 12:30 PM, Mick wrote: > > If NAT'ed between guest and host and then NAT'ed again at the home > > router, you are double NAT'ed. > > Or possibly triple NATed if your ISP is using Carrier Grade NAT. > > At least that's one definition of "double NAT". I tend to use a > different definition, one where you're NATing source and destination in > a single device. As opposed to doing a single NAT operation on multiple > devices. > > > As far as I know VPNs will not work through a double NAT situation, > > unless you use your gateway or host as the VPN end point and then > > setup port forwarding to the host from there. > > I see no reason why SSL or SSH based VPNs wouldn't work perfectly fine > through many layers of NAT.
You'll need a trusted gateway to do the unwrapping and then forwarding to the next hop (SSH forwarding). If you attempt TCP-tunneling (TCP-over-TCP) you'll soon experience 'TCP meltdown' with upper and lower TCP layers' retransmission timeouts. > I also think that it should be possible to get IPSec VPNs to work > through multiple layers of NAT. You'd need to account for the AH issues > or ESP without AH. How will you be able to account for such a multi-NAT routing arrangement if (in tunnel rather than transport mode) the original entire IP datagram is encrypted and encapsulated? You'll need to decrypt it, take the payload and read its IP header before you know where to forward it to. On single NAT you encapsulate the IPSec into UDP (NAT-Traversal), but on a double NAT what will you do? I've never heard of double/triple NAT-T without port forwarding ... > Each layer of NAT makes VPNs more difficult, but not impossible. > > Depending on the type of VPN, each layer of NAT may mean that you must > be the only person using that type of VPN to avoid confusing the NAT / > breaking all of that type of VPN. Do you mean VPN within UDP within VPN? You'll need intermediate VPN gateways for this. > > Bridge the host to guest adaptors and you should be good to go (once > > any other conventionla VPN configuration problem is solved). :-) > > Hilco's issue was what is routed through the VPN, not a problem with > establishing said VPN. Quite, we've gone off-piste here. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
