tech-net: Re: tunnelling and IPNAT (Or IPsec wishing)

Subject: Re: tunnelling and IPNAT (Or IPsec wishing)
To: David Brownlee <abs@netbsd.org>
From: Curt Sampson <cjs@cynic.net>
List: tech-net
Date: 05/08/2003 22:08:50

On Wed, 7 May 2003, David Brownlee wrote:

> 	[internal]------[ IPNAT  ]--<Internet>--[ IPNAT  ]------[internal]
> 	[ hostsA ]      [gatewayA]              [gatewayB]      [ hostsB ]
>
> 	I want to secure traffic between the two networks....
> 	If incoming IPsec was processed before IPNAT, and outgoing IPNAT
> 	before IPsec then it should be feasible, or (as is likely) am I
> 	missing something?

I don't see where NAT is involved at all. Just run IPSec in tunnel
mode between A and B (or use a GRE tunnel between A and B, and encrypt
communications between A and B with non-tunnel-mode IPSec) and you're set.

Just don't expect to be able to use IPFilter on any of the traffic
between the two hosts or networks.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC