VPN where local private address collide

Adam Vande More amvandemore at gmail.com
Tue Aug 20 06:33:09 UTC 2013

On Sun, Aug 18, 2013 at 7:17 AM, Terje Elde <terje at elde.net> wrote:

> On 18. aug. 2013, at 02.43, Adam Vande More wrote:
> > > What about SSL/TLS for example?  How would the router swap the header
> in an encrypted session?
> >
> > Same as it would any sessions since only the payload is encrypted.  What
> Frank calls basic nat, most people call static nat(at least people who have
> read enough Cisco docs) and it works just fine. Also you are confusing
> headers.
> The point I was aiming for was that even if you were to swap the IPs in
> the IP-header on the gateway, some protocols still reference the IPs inside
> the TCP-payload,

Yes like IPSec as I mentioned.

> and while you can rewrite that on a NAT-box using an application level
> gateway, you can not do that if the session is using SSL or TLS.

Complete BS.

> I was referring to headers *inside* the SSL/TLS-layers.  I thought that
> was obvious, but I see I might not have been clear enough.

Not clear in the least.  Expanding on what is so difficult about might do a
lot of us some good.

> Yes, you can often still resolve it on the server, but just how messy does
> one want to get stacking workaround on top of workaround,

Despite your protestations to the contrary,  NAT and SIP work quite weil
together in basic configurations including TLS and the OP's scenario.   I
can't explain your difficulties but perhaps when you aren't at a mobile
device you could answer a question in depth.

The server would register that the phone is available at
> (locally, in lan_b), while the server would actually need to send to
>, in order to reach in lan_a.

> Exactly how this would behave depends on a lot of factors, but you'd
> quickly end up with a situation in which the phone *appears* to work, can
> register against the server and call out (both client-initiated), but where
> incoming calls just don't work (sent to in lan_b, rather than
> in lan_a).

Could you could post your config to demonstrate what you are doing

Adam Vande More

More information about the freebsd-questions mailing list