[ previous ] [ next ] [ threads ]
 From:  "Jason Collins" <jason at mammothcomputers dot com>
 To:  "'Chris Buechler'" <cbuechler at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPSEC and NAT-T
 Date:  Fri, 10 Mar 2006 07:32:23 -0600
I guess I don't understand why it doesn't work because we have a similar
setup where we can connect from behind our monowall to clients' monowalls
using the safenet ipsec vpn client software installed on a workstation.
we've since switched to automatic tunnels using our monowayll, but we never
had any problems with safenet connecting.  maybe I don't understand the


-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com] 
Sent: Thursday, March 09, 2006 4:48 PM
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] IPSEC and NAT-T

On 3/9/06, Nicolai Scheer <scope at planetavent dot de> wrote:
> I am at home behind my m0n0wall. I connect to my firm's draytek router 
> (some 2900...) daily via ipsec vpn... and it works well...
> According to what you said, this should not work, since m0n0wall can't 
> do nat-t...

NAT-T applies to the device that terminates the IPsec connections.  In this
case, the Draytek must support NAT-T, or what you describe wouldn't work.
If you replace the Draytek with a m0n0wall, that same setup wouldn't work.

When the client is behind NAT, the terminating device has to support NAT-T
(and have it enabled).