[ previous ] [ next ] [ threads ]
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  "'Dave O'" <dso at mssystems dot com>, "'Christian ERDT'" <ec at erdt dot biz>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPSec-Client behind NAT??
 Date:  Tue, 25 Jan 2005 09:36:09 -0500
Dave O wrote:
> If I understand your situation correctly, I ran into this same
> recently.  IPSEC connections will NOT work when the client is on a
> NATed connection.  The reason for this is that an IPSEC packet
> contains both the source and destination addresses.  To quote from
> OpenVPN presentation (on their site):
>    Because IPSec considered the source and destination addresses to
>    bart of the secured payload, it broke interoperability with NAT.
> So, when you try to connect, outgoing packets will contain what I'm
> assuming is a private ip address (e.g., 172.16.3x.x or 10.0.0.x) but
> the connection is actually coming from your public ip (WAN ip) and
> breaks the connection.
> Thus, your alternatives are: 1) establish a connection from a public
> ip address; 2) use PPTP; 3) use OpenVPN.

AFAIK, whether an IPSEC connection will work or not depends on the
IPSEC Client. If the client supports NAT-T you should be able to
connect. I can connect to IPSEC tunnels on SonicWall and NetGear
firewalls at client sites using the NetGear VPN client (SafeNet
branded product) from behind my v1.11 m0n0wall. I also have two
laptops with the SonicWall VPN client that work fine (but to the
SonicWalls only).

To make this work I had to create an inbound NAT for UDP port 500 to
my PC. I think the SonicWall VPN worked but not the NetGear before I
added this rule.

James W. McKeand