On Tue, Sep 22, 2009 at 12:52:51PM -0400, Scott C Moonen wrote: > Hi Matt. Our implementation works a little differently from Tero's, so > I'm replying just to provide a different perspective.
<mucho snippage deleted!> > Our design decision does prevent our implementation from initiating to a > remote IPsec gateway if that gateway is behind a NAT, since we have > excluded the possibility of configuring addresses in the network behind > that NAT. We believe that initiating to a gateway behind a NAT is an > uncommon configuration, especially for our platform. Your design (which is similar to the one in Solaris/OpenSolaris) WOULD allow initiation to a behind-a-NAT peer if (and only if) the NAT was smart enough to redirect 500 and 4500 to a single entity inside its private network. (I'll be experimenting with this directly when I move into my new house this weekend, actually. :) Dan _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
