|Main Archive Page > Month Archives > ipsec archives|
On Tue, Sep 22, 2009 at 12:52:51PM -0400, Scott C Moonen wrote:
> Hi Matt. Our implementation works a little differently from Tero's, so
> I'm replying just to provide a different perspective.
<mucho snippage deleted!>
> Our design decision does prevent our implementation from initiating to a
> remote IPsec gateway if that gateway is behind a NAT, since we have
> excluded the possibility of configuring addresses in the network behind
> that NAT. We believe that initiating to a gateway behind a NAT is an
> uncommon configuration, especially for our platform.
Your design (which is similar to the one in Solaris/OpenSolaris) WOULD allow initiation to a behind-a-NAT peer if (and only if) the NAT was smart enough to redirect 500 and 4500 to a single entity inside its private network. (I'll be experimenting with this directly when I move into my new house this weekend, actually. :)