Hi Urban,

unfortunately I cannot be of great help with NetBSD specifics.

Regarding NAT/IPsec in general there are several "challenges" with that. 
They relate to manipulation of header data structures (i.e. by NAT) and 
calculation of "crypto checksums" (by IPsec). Cisco published a pretty good 
article on NAT covering NAT/IPsec as well. Have a look at 
http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html for more detail.

As a rule of thumb NAT should occur before the box performs IPsec 
encapsulation.

Later,
/Markus.

At 13:46 08.06.2001, Urban Boquist wrote:
>Hi network gurus,
>
>according to the IPsec FAQ on www.netbsd.org, the ipf/IPsec
>interaction was recently changed to allow them to work together (at
>least better than before). With the new method, ipfilter always looks
>at the wire format packets.
>
>Even though this allows some filtering it is my understanding that NAT
>will still not work with IPsec, since you are not allowed to change an
>outgoing packet after the IPsec processing. Or am I confused?
>
>There seems to be an "enc" interface in OpenBSD that allows you to
>look at the packets before/after the IPsec encapsulation. This seems
>to allow NAT. Is there a way to do something similar in NetBSD?
>
>Thanks,
>
>         -- Urban
>
>P.S. The reason I ask is that I have recently discovered the wonderful
>world of VMware. I now run Windows98 at the same time as NetBSD and it
>works like a charm (big thanks to Frank and others who helped!). I
>need NAT to allow Windows to see the outside world. And I need IPsec
>because of company policy... ;-)


+---
Markus A. Boeing
mailto://markus@boeing-online.de
http://www.boeing-online.de
+---