IPSec VPN & NATD (problem with alias_address vs
redirect_address)
Stephen J. Bevan
stephen at dino.dnsalias.com
Fri Nov 21 22:36:45 PST 2003
Crist J. Clark writes:
> Two different ESP end points behind many-to-one NAT connected to a
> single ESP end point on the other side of the NAT? I'd be very curious
> to get the documentation on how they are cheating to get that to work.
A cheat is to use the sequence number in the ESP header to matchup the
SPI on the inbound packet with the SPI on the outbound packet. This
only works if the NAT box doesn't have multiple ESP connections all
starting at the same time (otherwise there would obviously be no way
to tell which outbound SPI a packet with ESP sequence number 1 should
match). A workaround for that is to have the NAT box delay the IKE
negotiation for one connection if another one has not completed and
resulted in traffic being sent. It all has a bit of a bad smell to it
but then NAT isn't exactly sweet smelling either.
More information about the freebsd-net
mailing list