Hi! Florian:
I am afraid that you would not be able setup a tunnel from a client behind a NAT device. The problem is the source address of the tunneled packet would be changed by the NAT device, but when client builds the authentication header, it takes the source address into account already. Thus, on the other end of the tunnel, the authentication would fail.
One possiblity to solve your requirement is using a NAT device which would also originates a tunnel for you. So when it builds authentication header, it takes the mapped source address/port already. But even this approach might not work on every application that you might have. You could find out more in IETF NAT, IPSec working groups' home page.
So far, I am in the context of IPsec tunnel. If you find something that would work for you, maybe another flavor of tunnel, please let me know.
Regards,
Shih-Chin
----------
From: Otel Florian-Daniel[SMTP:otel@ce.chalmers.se]
Reply To: otel@ce.chalmers.se
Sent: Friday, July 16, 1999 2:29 PM
To: linux-ipsec@clinet.fi; ipsec@lists.tislabs.com; firewall-wizards@nfr.net
Subject: IP tunnel over a NAT (IP masq) possible ?
Hello everybody,
I have the following problem: I have a machine behind a NAT performing
one-to-many address translation (inside: Net 10. outside: only one IP
addr). What i would like to do is to set a IP tunnel from one of the
inside machines (the "client") to a remote machine (i.e. beyond NAT)
(the "server"). Such that after the tunnel setup the inside machine
appears to be virtually attached to the remote net.
Requirements:
-As it is implied, I don't have administrative control over the NAT
(otherwise e.g. i could simply attach the client beyond it and use
`oridnary` IP tunneling)
-The tunnel is encrypted (overhead issues irrelevant for the time being)
-The tunnel is set on-demand, in a client-server fashion (e.g. tunneling
over a TCP connection).
-The operating system: Linux
Any ideas and suggestions are welcomed.
Many thanks,
Florian
P.S: Maybe this were not the most appropriate forums were to ask. If
that is the case, appologies in advance. Any hint in this respect will
be appreciated.