[Openswan Users] NAT traffic

Paul Wouters paul at xelerance.com
Sun Mar 20 00:40:39 EDT 2011

On Sat, 19 Mar 2011, contact_mark at btopenworld.com wrote:

> I have been reading the config docs but they say something along the lines of “Do not NAT traffic
> going over the tunnel”.  Why is this?
> Is it simply that it isn’t an implemented feature or some other reason?

Tunnels have security policies with source and dest address. If you change any
addresses those policies will be wrong.

Second, packets are encrypted. If you change them, the signatures are wrong and
the packets are dropped.

This is not a software implementaiton limitation. IPsec is a security policy,
and NAT breaks that. IPsec protects against network mangling, and NAT is
network mangling.


More information about the Users mailing list