On Fri, 2004-07-09 at 18:13, Cedric Blancher wrote: > Le ven 09/07/2004 Ã 17:38, Rainer Arnst a Ãcrit : > > I tried to work with that, but failed to produce the desired results, > > which were to enable IPSec transport mode packets to pass through the > > firewall not being NATed. > [...] > > Got anyone any ideas? > > Yes, I got one I previously explained. IPSEC transport mode can't cope > with NAT if you do TCP. ESP transport port only encapsulate IP packet > payload (layer 4) as opposed to ESP tunnel which encapsulate full IP > packet. I know, that is why I wanted to avoid NAT for ESP/AH, passing packets through without rewriting their destination, following this suggestion from Antony@xxxxxxxxxxxxxxxxxxxx: > 1. Put a genuine public IP address on the destination Security Gateway > machine, routed through the firewall without nat. > When you do NAT, you alter IP source and/or destination. But TCP > checksum includes IP addresses, which means you have to recompute it on > the fly when NATing. Anf for it is ciphered, you can't. Unfortuneately I have to find a way to make the transport mode work; we were using NAT-T, which worked fine, but now I am looking for another solution which does not require the VPN Gateway to support NAT-T. Greetings, Rainer
