Subject: passing IPsec through ipnat
To: None <>
From: Steve Bellovin <>
List: netbsd-users
Date: 12/04/2001 20:54:01
I need to pass IPsec (tunnel mode) through a NetBSD-based NAT box.  
No, I don't like it, and yes, I understand all the other limitations 
of NAT and IPsec.  But with the service I have, I can't get more than 
one IP address.  

So -- is there any way to configure ipnat to pass all inbound IPsec packets
to go to a particular address?  "redir" seems to require a port number, 
which of course ESP packets don't have.  Some commercial NAT boxes do 
have the notion of a "default" inside address -- anything they don't 
recognize, they pass to that host.  And I already know that the rest of 
my (rather funky, non-NetBSD) IPsec stack will deal properly with this 
sort of NAT.

The machine is currently running 1.5R, but I'm happy to upgrade it to a 
more recent -current if that would help.  (There's been no reason to 
touch it for a long time -- it's been up for 200 days now.)

		--Steve Bellovin,
		Full text of "Firewalls" book now at