Subject: Re: racoon (ipsec) and NAT
To: None <>
From: Perry E. Metzger <>
List: tech-net
Date: 07/04/2002 18:41:07 writes:
> 	unfortunately, even with the above setup it doesn't work.  it is just
> 	impossible for IPsec to work with NAT, *by nature*.  for instance,
> 	NAT needs to rewrite packet content for FTP and other traffic,
> 	however IPsec ESP is designed to make it impossible to look at the
> 	content by encryption.

The easy way to do IPSec via a NAT is to use v6 addresses at both ends
and tunnel v6. Simple, clean, practical, and it even works with most
OSes including Windows.

Perry E. Metzger
"Ask not what your country can force other people to do for you..."