> I understand that ipsec cannot run behind nat. > > But could someone explain why this is necessarily so? > Nat does not alter the dest address therefore the packet would > end up in the right place. > Then after deencapsulation, ipsec could see that the inner > packet was valid. > For that matter, I cannot see why tunnels within tunnels could not > work, like tarring together a bunch of tar files. > > Does anyone know if this restriction is FreeSWAN or the ipsec > standard and if freeswan intends to ammend this in the future?
There are different "flavors" of IPSec. The more commonly used ESP (protocol 50)is capable of being NAT'd or masqueraded. See the VPN-Masquerade-HOWTO, and the ip_masq_ipsec.o module. The ESP protocol encrypts and authenticates the data portion of the protocol 50 packet (the encrypted contents of your original packet), allowing modifications to the IP headers (like nat or masquerading) to not break the protocol. Then there is AH (protocol 51). This protocol cryptographically authenticates the entire packet, including the IP headers, so doing any NAT, masquerading, or other tampering with *ANY BYTE* in the packet will break the protocol. Both protocols encrypt and "wrap" the entire original packet, so there is no affect on VPN communications regardless of the protocol you're using, or if you're NAT'ing the ESP protocol or not...the original packets will come out exactly the same on the far end regardless. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user