On Wed, 2003-10-01 at 20:41, Mitsuru KANDA / çç å wrote: > At Wed, 1 Oct 2003 23:10:52 +0200, > Jose Luis Domingo Lopez <linux-net@24x7linux.com> wrote: > ... > > To the best of my knowledge you can NAT IPsec traffic if the outer > > transformation is ESP and not AH. NAT traversal seems to be only > > necessary if you do AH or ESP+AH, because AH headers also covers IP > > packet headers, and any change in them render the checksums bad. > Not true. > > IPesc NAT Traversal is only for ESP. > (and for IKE packets) > > see draft-ietf-ipsec-udp-encaps-06.txt What is true, however, is that you can NAT IPSec traffic without resorting to NAT-Traversal (ESP over UDP). Do this requires the use of "virtual IPs" (supported with Super FreeSWAN and SSH.COM's Windows IPSec client). Dax Kelson Guru Labs - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
