[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] NAT IPsec possible?
 Date:  Wed, 12 Apr 2006 21:32:30 -0400
On 4/12/06, Corren Vorwerk <list dash user at backenhoernchen dot de> wrote:
> > It says in the m0n0 documentation "m0n0wall does not support
> > NAT-Traversal (NAT-T) for IPsec, which means if any of your client
> > machines are behind NAT, IPsec VPN will not work."
> >
> > Is that only the case for workstation to m0n0, or also for m0n0 to
> > m0n0 or in my case, m0n0 to netscreen?
> >
> Workstations behind m0n0 can not establish IPSec VPN connections to
> Computers outside the "wall". This is a limitation of BSD Kernel - as
> far as i know.

Actually it's vice versa, it's if clients are behind NAT connecting to
a m0n0wall IPsec mobile VPN server.  Doesn't matter if it's m0n0wall
NAT or any other type of NAT.  I think there are exceptions to this
with certain NAT implementations with IPsec proxies (at least there
seem to be some exceptions, though no details on those exceptions, so
I'm just guessing).

As far as site to site IPsec, I believe that works when either side is
NAT'ed.  I seem to recall some people using it that way.

as for clients behind m0n0wall, see this thread: