> PS. The above is based on operational experience for IPv4 over UDP/IPv4
> to enable IPsec tunnels on top of that.
>
> => and can IPsec work with such a (broken) NAT?
IPsec doesn't run directly over it. There are two layers of
tunneling:
1. Create fixed public IP address for the machine behind the NAT box
by tunneling IPv4 over UDP/IPv4.
2. Just run regular IPsec tunnel mode on top of the above.
Apart from the tunnel overhead (IPv4 UDP IPv4 IPv4 ESP IPv4 ...)
it appears to be working fine.
But I've only used this heavily for a few weeks so I don't yet understand
how often there has to be packets from behind the NAT to make sure
that tunnel #1 gets the updated UDP port numbers.
Erik
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
