Philip,
Given my limited knowledge I will give you what I think is a correct
answer.
IPsec depends upon the sending address for authentication. When a packet
is mangled by NAT this info is not available for ipsec to use. Thus you
can not NAT the ipsec traffic. There is a way to port forward ipsec
traffic I believe, but I have not experience doing this. Hopefully some
else knows more. (they can't know less :-)
Jason Massey
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
04/18/2002 09:10 AM
To: [EMAIL PROTECTED]
cc:
Subject: [Leaf-user] ipsec and nat
I understand that ipsec cannot run behind nat.
But could someone explain why this is necessarily so?
Nat does not alter the dest address therefore the packet would
end up in the right place.
Then after deencapsulation, ipsec could see that the inner
packet was valid.
For that matter, I cannot see why tunnels within tunnels could not
work, like tarring together a bunch of tar files.
Does anyone know if this restriction is FreeSWAN or the ipsec
standard and if freeswan intends to ammend this in the future?
Thanx
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
