On Thu, 4 Jul 2002 itojun@iijlab.net wrote:

 > >- is it possible to establish an esp-tunnel with a NAT in-between the 2
 > >  sides of the esp-tunnel ?
 > 
 > 	no.  it's impossible.  there are internet drafts available for it,
 > 	but there's no plan for us to support it (it's too wacky and success/
 > 	failure depends on the behavior of the NAT product you are using)

Thanks for this answer.

My explanations anyway were not enough understandable I think. I don't have
a "random" NAT system in-between the two tunnel sides: the NAT system has a
reserved (fixed) IP adress to do the mapping between this internal IP
address and the public one, and does nothing else with these "reserved"  
address.

So this situation is really like "I've got two fixed public IP addresses
and I want to create  tunnel between them", the only thing is that there is
a (fixed) NAT translation on one of the address. In a way, it's look like a
man-in-the-middle-attack !

The only thing (in my mind) that could happen is that this situation is
disturbing the IKE protocol implemented by racoon, beacause the
"visible" IP address and the real-internal one are not the same for one
side of the tunnel.

Does these explanations change your answers or I'm a really beginner I'd
better return to IP-school :( ? 

(of course the second solution is true anyway !)

Regards, 

Pierre Bourgin