However, what is authenticated in the IPSEC datagrams is the addresses of the IKE gateways (the routers). The fact that an entire netblock exists within the tunnel is not especially relevant to the part that suffers from NAT breakage. Owen --On Wednesday, October 29, 2003 3:14 AM -0800 Avleen Vig <lists-nanog@silverwraith.com> wrote:
On Wed, Oct 29, 2003 at 11:03:11AM +0000, Simon Lockhart wrote:
No. Anything that relies on knowing which host it is talking to by looking at the source address of packets breaks. Plenty of UDP based apps work over NAT.
Indeed, and IPSec tunnels are frequently done between routers on networks, rather than individual hosts on networks (at least in most multi-site enterprises i've seen).
-- If it wasn't signed, it probably didn't come from me.