On Monday 29 April 2002 9:50 pm, Harald Welte wrote: > On Mon, Apr 29, 2002 at 02:59:53PM -0400, Eric B Kiser wrote: > > Let me pose this question anew... > > > > Are there any required modifications, other than just /not/ restricting > > the required ports, to be able to pass IPsec traffic when using your > > Linux system as a router and performing NAT.
>From my experience of using IPsec with Netfilter + NAT, you can do tunnel mode IPsec, but you can't do transport mode IPsec. Basically, in tunnel mode IPsec, the entire packet from source to destination is encrypted and encapsulated inside a new packet (which can be NATted if you want), therefore so long as the original inner packet gets to the other end, it can be decrypted and dealt with. However, in transport mode, the checksum covers the source / destination addresses, and the packet is not encapsulated inside a new one, so any NAT process which changes the source or destination addresses will break the checksum (unless you do some *very* clever and tricky fiddling around at oth ends to make the NAT invisible to IPsec). In my experience, the trick to getting tunnel-mode IPsec to work through NAT is to tell each machine its own genuine IP address, and to tell it the routable address of the other end (even if that gets NATted somewhere along the line), so that each knows who itself is, and knows the address to reach the other end at. Hope this helps, Antony.
