Ryan Russell
Sun, 14 Jun 1998 11:23:01 -0700

Does the instance where IPSec worked when NATted
point out a broken or incomplete implementation, then?

Part of the authentication for an authenticated IPSec
connection is the IP addresses on the endpoints.
>From what little I know, you'd most likely always want
authentication on in a VPN situation.

There is the proxy part of the spec, but that didn't sound
too well defined, and not very workable.  Only works for
a single proxy, too.

I'm not clear on your Sidewinder example... Packets
coming in from the VPN client get decrypted on
the gateway in either case.. When the endpoint
is the gateway itself...where does it get the final destination
address.. unless it's in tunnel mode.  When the destination
is "inside" past the gateway.. does the gateway change the
source address of the packet to be itself, or does the inside
machine think it's being connected to from all the way out in
the Internet?

To speak to the original question... Checkpoint's SecuRemote
breaks if there is any kind of NAT or proxying going on
before it hits the home gateway.  It's happy if the home
gateway is the one doing NAT, after decryption.  I'll
second the statement that VTCP/Secure (a.k.a. PowerVPN)
is perfectly happy being NATted and proxied along the way,
making it quite flexible.


Tina Bird <> on 06/12/98 10:33:29 PM

Please respond to Tina Bird <>

To:   "Burden, James" <>
cc:   "'Appel, John'" <>,
      "''" <> (bcc: Ryan
Subject:  Re: NAT

This isn't true!  I'm aware of a large number of VPN installations,
both IPSec and proprietary, which work quite happily with NAT.  Even
PPTP is interoperable now with address translation, at least once
you've got your routes set up correctly.

F'r instance:  Sidewinder firewalls perform NAT "by default" - that
is, you can't have a live Sidewinder that >doesn't< have address
translation thanks to the two-or-more NICs, and the lack of IP
forwarding.  Sidewinder supports IPSec in both transport and tunnel
modes, allowing the VPN to terminate on either the external side of
the firewall (in which case the unencrypted, destination side of the
IPSec association is the "final" destination, as far as the VPN is
concerned) or on the internal side of the firewall (in which case
the firewall hands off the traffic to the destination machine on the
interior network).  In either case, the firewall is the
decryption server, and it's only ever the external
firewall IP address which is visible to the public network.

I've worked with 3 or 4 other VPN products (Alta Vista, PPTP,
VTCP/Secure and Signal 9) with similar success in a NAT environment.

Tina Bird

Received: from ([]) by
(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998)) with SMTP id 88256623.00282435;
Sun, 14 Jun 1998 00:18:27 -0700
Received: from (smtp1 [])
          by (8.8.4/8.8.4) with SMTP
       id AAA29618; Sun, 14 Jun 1998 00:16:14 -0700 (PDT)
Received: from by
     id AA11836; Sun, 14 Jun 98 00:16:13 PDT
Received: from ( [])
          by (8.8.4/8.8.4) with ESMTP
       id AAA23966; Sun, 14 Jun 1998 00:16:05 -0700 (PDT)
Received: (from lists@localhost)
     by (8.8.8/8.8.8) id VAA03068
     for firewall-wizards-outgoing; Sat, 13 Jun 1998 21:40:06 -0500 (CDT)
Received: (from fwiz@localhost)
     by (8.8.8/8.8.8) id VAA03046
     for; Sat, 13 Jun 1998 21:39:57 -0500 (CDT)
Received: from ( [])
     by (8.8.8/8.8.8) with ESMTP id AAA24217
     for <>; Sat, 13 Jun 1998 00:31:31 -0500 (CDT)
Received: from (root@localhost)
     by with ESMTP id AAA28801;
     Sat, 13 Jun 1998 00:34:30 -0500 (CDT)
Received: from ( [])
     by with SMTP id AAA28797;
     Sat, 13 Jun 1998 00:34:30 -0500 (CDT)
Received: from by (SMI-8.6/SMI-SVR4)
     id AAA25850; Sat, 13 Jun 1998 00:34:29 -0500
Message-Id: <>
Date: Sat, 13 Jun 1998 00:33:29 -0500
From: Tina Bird <>
X-Mailer: Mozilla 4.04 [en] (Win95; I)
Mime-Version: 1.0
To: "Burden, James" <>
Cc: "'Appel, John'" <>,
        "''" <>
Subject: Re: NAT
References: <>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Precedence: bulk
Reply-To: Tina Bird <>