Subject: Re: IPsec and NAT?
To: Urban Boquist <email@example.com>
From: Markus A. Boeing <firstname.lastname@example.org>
Date: 06/08/2001 15:24:28
unfortunately I cannot be of great help with NetBSD specifics.
Regarding NAT/IPsec in general there are several "challenges" with that.
They relate to manipulation of header data structures (i.e. by NAT) and
calculation of "crypto checksums" (by IPsec). Cisco published a pretty good
article on NAT covering NAT/IPsec as well. Have a look at
http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html for more detail.
As a rule of thumb NAT should occur before the box performs IPsec
At 13:46 08.06.2001, Urban Boquist wrote:
>Hi network gurus,
>according to the IPsec FAQ on www.netbsd.org, the ipf/IPsec
>interaction was recently changed to allow them to work together (at
>least better than before). With the new method, ipfilter always looks
>at the wire format packets.
>Even though this allows some filtering it is my understanding that NAT
>will still not work with IPsec, since you are not allowed to change an
>outgoing packet after the IPsec processing. Or am I confused?
>There seems to be an "enc" interface in OpenBSD that allows you to
>look at the packets before/after the IPsec encapsulation. This seems
>to allow NAT. Is there a way to do something similar in NetBSD?
> -- Urban
>P.S. The reason I ask is that I have recently discovered the wonderful
>world of VMware. I now run Windows98 at the same time as NetBSD and it
>works like a charm (big thanks to Frank and others who helped!). I
>need NAT to allow Windows to see the outside world. And I need IPsec
>because of company policy... ;-)
Markus A. Boeing