[ On Sunday, July 30, 2000 at 13:23:45 (-0700), Jason R Thorpe wrote: ]
> Subject: Re: ipsec and ipnat.
>
> NAT and IPsec are fundamentally incompatible.  You cannot use them
> together.

Just to clarify -- you cannot use IPsec and IP-NAT on the same packets.

However you can easily use both mechanisms simultaneously on the same
host provided that you understand what you're doing.  :-)

We've just recently been designing and building some new VPN gateways
for a corporate network that are based on NetBSD.  We use IPsec to
create a mesh of secure routes between offices, we use IP Filter to
further secure the gateways themselves, and we use IP NAT for both
capturing web traffic and pointing it at a squid cache, as well as to
allow certain very select TCP connections through from the LAN to the
big bad Internet.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>