Hi network gurus,

according to the IPsec FAQ on www.netbsd.org, the ipf/IPsec
interaction was recently changed to allow them to work together (at
least better than before). With the new method, ipfilter always looks
at the wire format packets.

Even though this allows some filtering it is my understanding that NAT
will still not work with IPsec, since you are not allowed to change an
outgoing packet after the IPsec processing. Or am I confused?

There seems to be an "enc" interface in OpenBSD that allows you to
look at the packets before/after the IPsec encapsulation. This seems
to allow NAT. Is there a way to do something similar in NetBSD?

Thanks,

        -- Urban

P.S. The reason I ask is that I have recently discovered the wonderful
world of VMware. I now run Windows98 at the same time as NetBSD and it
works like a charm (big thanks to Frank and others who helped!). I
need NAT to allow Windows to see the outside world. And I need IPsec
because of company policy... ;-)