I give it another Try.
>Setup a) is what I did not manage to get running. Why is nat-t needed here?
>Is setup a) possible with m0n0 1.21?
Nat Traversal is necessary für IP Sec to work with NAT - and the actual
FreeBSD 4.x does not support NAT-T as mentioned.
>Which client? The roadwarrior, or some client behind a m0n0wall trying
>to connect to some remote vpn-gateway?
The Client which wants to access the VPN Endpoint of the M0n0wall. NO matter
if this Client is behind a Monowall or another Router.
Both VPN Peers negotiate the NAT Traversal with each other. If one doesnt
NAT-T the connection will fail. Both sides must support NAT-T
>Homenet - m0n0 - internet - nat-router - roadwarrior
NO possible cause both Routers MUST support NAT-T - M0n0 doesn not.
in other words. The Problem is not if the VPN Endpoint is on m0n0 or
a host behind it. If there is at least one NAT Device both endpoints must
If the Road Warrior wants to initiate the VPN Connection the NAT Router will
modify the IPSec Packet and the Integritx Check will fail, as there is built
Checksum ( also with IP Adressinformation - which was manipulated by nat).
with NAT-T the IPSec Packet is encapsulated in a UDP Packet and the
of the adress Information by Nat does not touch the Ipsec Packet.
Hope this could help ya a little bit
From: Nicolai Scheer [mailto:scope at planetavent dot de]
Sent: Thursday, March 09, 2006 9:56 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] IPSEC and NAT-T
I think, I did not understand the ipsec nat-t issue correctly...
Let us assume the following configurations:
Homenet - m0n0 - internet - nat-router - roadwarrior
Homenet with 3rd party vpngw - m0n0 - internet - nat-router - roadwarrior
To my mind, nat-t is needed in setup b) where the roadwarrior tries to
connect to a vpn-gateway behind m0n0wall.
Setup a) is what I did not manage to get running. Why is nat-t needed here?
Is setup a) possible with m0n0 1.21?
The documentation says
"m0n0wall does not support NAT-Traversal (NAT-T) for IPsec, which means
if any of your client machines are behind NAT, IPsec VPN will not work."
Which client? The roadwarrior, or some client behind a m0n0wall trying
to connect to some remote vpn-gateway?
Hopefully someone can enlighten me :)
Thanks in advance,