Ryan Russell
Wed, 17 Jun 1998 09:53:22 -0700

Your first paragraph clears it up, thanks.  If the IPSec happens
after NAT, it makes perfect sense.  When one wants to use
NAT with IPSec, then the device doing NAT would have to participate
in the IPSec connection.

That would imply that one couldn't get an IPSec connection
through a box that did NAT/proxy when that box didn't
participate in the connection.  I think that's going to be
a major problem for IPSec based VPN soultions.


On Sidewinder, at least, the NAT activity is irrelevant to IPSEC behavior.
When leaving the internal (address translated) network, the addresses are
swapped before packets are handed to IPSEC for crypto processing. Encrypted
packets from the outside world are decrypted and then each packet's IP
address gets changed before being dropped on the internal LAN. The same
security association is used for all NATed traffic between a pair of IPSEC