[Openswan dev] Re: [Users] routing problem with NAT?

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Nate" == Nate Carlson <natecars at natecarlson.com> writes:
    >> Correct, I use this patch. kernel 2.4.25
    >> 
    >> Mar 15 23:21:34 moulinsart pluto[22523]: including NAT-Traversal
    >> patch (Version 0.6b)
    >> 
    >> Ok, so what is the objective of NAT-T patch ?

    Nate> AFAIK, it's to allow roadwarriors behind a NAT gateway to
    Nate> connect to a IPSec server, and the networks behind it. You use
    Nate> the Xsubnet= to specify what internal IP address the NAT'd box
    Nate> is using, and I'm fairly certain there's not a way to also
    Nate> have a subnet behind it, without doing something exotic like
    Nate> gre tunnels over the ipsec link.

  There is no reason why you can't build a tunnel like:


            subnet1====GWA----NAT ******* GWB---subnet2

  And build a tunnel using NAT-T between GWA/GWB that connects subnet1
and subnet2. This isn't the most frequent use, which is where subnet1
is denegerate to a /32 assigned to a road warrior.

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQG7LX4qHRg3pndX9AQHhswQA6u7C03M2pOC9C8mUDzTy4tlNngvB99Df
NfiRAG77u6DLzJHs7wHzzDMU7WdTQ/dNuNtTRtmv+6Mlsq1Z9NLK+1QZPp5gQODH
M+KDOfxIDZnIPLprkiKkifuiQ39xIc6uy7dy4PQStxU16U4mXW3rXf8M29lT6B6d
3VzBP/cOB/o=
=k9D4
-----END PGP SIGNATURE-----