[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IP tunnel over a NAT (IP masq) possible ?

To: otel@ce.chalmers.se, syang@redcreek.com
Subject: RE: IP tunnel over a NAT (IP masq) possible ?
From: David Borman <dab@bsdi.com>
Date: Fri, 16 Jul 1999 17:04:35 -0500 (CDT)
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

> From: Shih-Chin Yang <syang@redcreek.com>
> Subject: RE: IP tunnel over a NAT (IP masq) possible ?
> Date: Fri, 16 Jul 1999 14:23:04 -0700
> ...
> I am afraid that you would not be able setup a tunnel from a client behind a
> NAT device. The problem is the source address of the tunneled packet would
> be changed by the NAT device, but when client builds the authentication
> header, it takes the source address into account already. Thus, on the other
> end of the tunnel, the authentication would fail.

Or, at the other end of the tunnel, before processing the packet,
you use "UNNAT" to put back the original source IP address, if that
is possible...  We're actually looking at doing this (using the IP filter
capability in BSD/OS), where we have a network behind a NAT box (a Pipeline),
and the encrypted tunnel endpoint is behind the NAT box.  It won't be
pretty, but sometimes you don't have much choice.  Sigh.

			-David Borman, dab@bsdi.com

Prev by Date: Re: IP tunnel over a NAT (IP masq) possible ?
Next by Date: RE: IP tunnel over a NAT (IP masq) possible ?
Prev by thread: RE: IP tunnel over a NAT (IP masq) possible ?
Next by thread: RE: IP tunnel over a NAT (IP masq) possible ?
Index(es):
- Main
- Thread