On Fri, 12 Jan 2001 itojun@iijlab.net wrote:

> 	ipsec and nat are inherently unfriendly so i don't think there's
> 	any good/generic solution.  

Yes, nat breaks ipsec, so therefore i wondered whether or not is was
possible to do ipsec after natting has been done.

More like this:

intern network A <-> bordermachine A <---> bordermachine B <-> intern nw B
				    
Between the two border machines is the internet of course.
On each border machine perhaps it would be possible to
1) nat the packet
2) apply ipsec
This when the border machine recieves a packet from the internal network.
When a border machine receives traffic arving from the outside, then
reverse of course. But i guess that aint possible right?

>       some wants to NAT inside header
> 	(your case - don't know why), some wants to avoid NAT for inside
> 	header if it is subject to ESP tunnel (so that .

Perhaps when natting is really needed cause there are to little routable
ip's assigned, its better to seperate into more border machines, one which
does nat, and one which does ipsec which stands at the very border of the
network in case of vpn.
And even that soluttion isnt to nice, ipv6 cant invade soon enough i
guess, then this wont be needed anymore.
(assumed that the there'll never be ip depletion in ipv6)
Bye,

Mipam.