Brian Skrab brian at quynh-and-brian.org
Wed Apr 16 13:23:42 PDT 2003

It is my understanding that "standard" IPSec (tunnel mode or otherwise) will 
not survive a NAT traversal due to the packet header being re-written during 
the translation.  If your router supports IPSec, you may be able to create an 
IPSec tunnel between the external address of your router and Server A, 
assuming that the IPSec implementations on Router and Server A play nicely 
with one another.

If you're concerned about traffic between Computer A and your Router, you can 
configure an IPSec tunnel between them as well.

          [IPSec Tunnel]        [       IPSec Tunnel       ]
Computer A ============ (Router) ======= (INTERNET) ======= Server A

This setup assumes that your router is trustworthy, as traffic to/from 
Computer A will not be protected during NAT'ing.  This setup can be 
especially useful if Computer A lives on a wireless LAN.

If your IPSec tunnel _must_ traverse a NAT, you may want to look into an IEEE 
draft that proposes the encapsulation of IPSec ESP traffic within a standard 
UDP packet, which is transmitted to, and routed through an intelligent IKE 
daemon.  There is a patch to the Linux FreeS/WAN VPN 
(http://www.freeswan.org/) implementation that is reported to support the 
scenario that you describe.  I have not done any reasearch into such a patch 
for FreeBSD as the scenario above has always suited my needs.  In addition to 
the FreeS/WAN documentation, this article gives a good overview of a proposed 
IPSec->NAT traversal solution, though it does not mention any specific 


Hope this helps.


On Wednesday 16 April 2003 10:00 am, Gavin Grabias wrote:
> Hi,
> I have a question regarding an IPSEC configuration.  I am not really sure
> how this would work, it almost seems in between tunnel, and transport
> mode.
> Network:
> Computer A -------------- (Router) -----------( INTERNET ) ------ Server A
> (  (   (                      (
> What I want to do is use IPSEC between Computer A and Server A.  I am just
> confused about how it would work given that I don't have 2 distinct LANs
> that I am trying to interconnect.  I doubt transport mode would work given
> the NAT taking place.  Can anyone give me any pointers?  Every example I
> see doesn't seem to attempt this.
> Thanks
> Gavin
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list