[ previous ] [ next ] [ threads ]
 From:  Dave O <dso at mssystems dot com>
 To:  Christian ERDT <ec at erdt dot biz>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSec-Client behind NAT??
 Date:  Tue, 25 Jan 2005 07:38:28 -0600
Christian ERDT wrote:

> Hi!
> I have a problem with mobile user VPN with IPsec.
> All working fine when my client have an WAN-IP.
> but if the client is behind NAT i get a connection but it is not posible =
> ti make traffic in my home net behinde the m0n0wall.....
> please help me
> Mit freundlichen Grüßen
> Christian Erdt
> email: ec at erdt dot biz
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
If I understand your situation correctly, I ran into this same problem 
recently.  IPSEC connections will NOT work when the client is on a NATed 
connection.  The reason for this is that an IPSEC packet contains both 
the source and destination addresses.  To quote from an OpenVPN 
presentation (on their site):

   Because IPSec considered the source and destination addresses to be
   bart of the secured payload, it broke interoperability with NAT.

So, when you try to connect, outgoing packets will contain what I'm 
assuming is a private ip address (e.g., 172.16.3x.x or 10.0.0.x) but the 
connection is actually coming from your public ip (WAN ip) and breaks 
the connection.

Thus, your alternatives are: 1) establish a connection from a public ip 
address; 2) use PPTP; 3) use OpenVPN.

Hope this helps.