Subject: Re: ipsec after nat
To: Mipam <mipam@ibb.net>
From: None <itojun@iijlab.net>
List: tech-net
Date: 01/13/2001 00:59:34
>> 	ipsec and nat are inherently unfriendly so i don't think there's
>> 	any good/generic solution.  
>Yes, nat breaks ipsec, so therefore i wondered whether or not is was
>possible to do ipsec after natting has been done.
>More like this:
>intern network A <-> bordermachine A <---> bordermachine B <-> intern nw B
>Between the two border machines is the internet of course.
>On each border machine perhaps it would be possible to
>1) nat the packet
>2) apply ipsec
>This when the border machine recieves a packet from the internal network.
>When a border machine receives traffic arving from the outside, then
>reverse of course. But i guess that aint possible right?

	if in the above "intern network A" and "intern network B" are separate
	private address cloud (like different company), you have no way
	to identify your peer in the first place.
	(if you configure static NAT table, then why do you bother running
	NAT?  just assign global addresses to them!)

	if A and B are in the same private address cloud (like same company,
	remote branch) you do not want NAT to take place.

itojun