Subject: passing IPsec through ipnat
To: None <firstname.lastname@example.org>
From: Steve Bellovin <email@example.com>
Date: 12/04/2001 20:54:01
I need to pass IPsec (tunnel mode) through a NetBSD-based NAT box.
No, I don't like it, and yes, I understand all the other limitations
of NAT and IPsec. But with the service I have, I can't get more than
one IP address.
So -- is there any way to configure ipnat to pass all inbound IPsec packets
to go to a particular address? "redir" seems to require a port number,
which of course ESP packets don't have. Some commercial NAT boxes do
have the notion of a "default" inside address -- anything they don't
recognize, they pass to that host. And I already know that the rest of
my (rather funky, non-NetBSD) IPsec stack will deal properly with this
sort of NAT.
The machine is currently running 1.5R, but I'm happy to upgrade it to a
more recent -current if that would help. (There's been no reason to
touch it for a long time -- it's been up for 200 days now.)
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com