Subject: Re: IPsec and NAT?
To: Urban Boquist <>
From: Markus A. Boeing <>
List: tech-net
Date: 06/08/2001 15:24:28
Hi Urban,

unfortunately I cannot be of great help with NetBSD specifics.

Regarding NAT/IPsec in general there are several "challenges" with that. 
They relate to manipulation of header data structures (i.e. by NAT) and 
calculation of "crypto checksums" (by IPsec). Cisco published a pretty good 
article on NAT covering NAT/IPsec as well. Have a look at for more detail.

As a rule of thumb NAT should occur before the box performs IPsec 


At 13:46 08.06.2001, Urban Boquist wrote:
>Hi network gurus,
>according to the IPsec FAQ on, the ipf/IPsec
>interaction was recently changed to allow them to work together (at
>least better than before). With the new method, ipfilter always looks
>at the wire format packets.
>Even though this allows some filtering it is my understanding that NAT
>will still not work with IPsec, since you are not allowed to change an
>outgoing packet after the IPsec processing. Or am I confused?
>There seems to be an "enc" interface in OpenBSD that allows you to
>look at the packets before/after the IPsec encapsulation. This seems
>to allow NAT. Is there a way to do something similar in NetBSD?
>         -- Urban
>P.S. The reason I ask is that I have recently discovered the wonderful
>world of VMware. I now run Windows98 at the same time as NetBSD and it
>works like a charm (big thanks to Frank and others who helped!). I
>need NAT to allow Windows to see the outside world. And I need IPsec
>because of company policy... ;-)

Markus A. Boeing