Le dim 16/05/2004 à 20:54, Antony Stone a écrit : > I'm not aware of this "common problem", however I only use IPsec (through NAT) > in tunnel mode between networks, not in transport mode with a client-gateway > arrangement. <FYI> NAT obviously breaks IPSEC using AH header, and it also breaks transport mode ESP. When you set transport mode ESP, you don't cipher packet header for the IPSEC destination (declared as IPSEC gateway) is the same than the encapsulated packet destination, so only IP payload is ESP encapsulated. For TCP/UDP checksum is computed against a pseudo header that includes IP source and destination, NAT breaks checksum for pseudo header, after ESP decasulation, has been modified. TCP is for the more affected as it is not very wise to desactivate checksum verification just like it is possible for UDP. </FYI> However, there's often a way to work aournd this kind of issue using a tunnel mode by adressing packets to an aliased IP. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
