> On Jun 16, 2015, at 4:44 PM, Paul Wouters <[email protected]> wrote: > > On Tue, 16 Jun 2015, Yoav Nir wrote: > >> Transport mode works fine behind NAT devices. For example, L2TP clients >> connect to VPN gateways using transport mode and they work behind NAT >> devices. >> >> It is AH that cannot work behind NAT. > > It's a lot more complicated. Since transport mode crypto binds to > the outer IP address, you will end up with multiple clients using > the same remote IP on their security policy. Eg multiple clients can > have 192.168.1.1. Now you have to keep track of these (Linux: SAref or > conntrack) and you still cannot initiate a new connection to a specific > remote endpoint from the server without additional hacking to ensure > you are going to the right 192.168.1.1 client. > > When using tunnel mode, you can give each connecting client their own IP > address to avoid all conflicts.
If you’re using transport mode, you never get to see 192.168.1.1 - that’s converted by the NAT device to its own external IP address. But it’s true that you have to be stateful about flows to be able to return the right packet to the right source. Which is why VPNs need tunnels (either IPsec or GRE or L2TP, but preferably IPsec) _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
