----------
From: David Borman[SMTP:dab@BSDI.COM]
Sent: Friday, July 16, 1999 5:04 PM
To: otel@ce.chalmers.se; syang@redcreek.com
Cc: ipsec@lists.tislabs.com
Subject: RE: IP tunnel over a NAT (IP masq) possible ?
> From: Shih-Chin Yang <syang@redcreek.com>
> Subject: RE: IP tunnel over a NAT (IP masq) possible ?
> Date: Fri, 16 Jul 1999 14:23:04 -0700
> ...
> I am afraid that you would not be able setup a tunnel from a client behind a
> NAT device. The problem is the source address of the tunneled packet would
> be changed by the NAT device, but when client builds the authentication
> header, it takes the source address into account already. Thus, on the other
> end of the tunnel, the authentication would fail.
Or, at the other end of the tunnel, before processing the packet,
you use "UNNAT" to put back the original source IP address, if that
is possible... We're actually looking at doing this (using the IP filter
capability in BSD/OS), where we have a network behind a NAT box (a Pipeline),
and the encrypted tunnel endpoint is behind the NAT box. It won't be
pretty, but sometimes you don't have much choice. Sigh.
It seems to me this approach needs to assume the mapping between the address given by NAT and the real client address must be fixed, and known beforehands at the other tunnel endpoint. But it might work if you are the only client that is going to initiate tunnel behind that NAT device.