On Sat, 22 Sep 2018 10:38:52 +0200 Pascal Hambourg <pas...@plouf.fr.eu.org> wrote:
> Le 22/09/2018 à 09:39, Joe a écrit : > > > > Two layers of NAT work just fine, for anything but IPSec. > > 1) Even one single layer of NAT can cause trouble with other > applications that IPSec : FTP, SIP... > Yes, but one can reasonably expect NAT hardware to also deal with tracking of multiple port/protocol communications. Pretty much the same basic code does both jobs, as well as stateful firewalling. There's a reason that NAT is implemented by iptables rules. Only IPSec ties in the endpoint IP addresses as well. > 2) IPSec works through NAT, provided that you enable UDP > encapsulation aka NAT-T. > Yes, there's more to go wrong, though. IPSec is commonly used to provide pretty much fixed communication between organisations, so terminating it on the Internet interface rather than on an internal machine makes sense, as well as keeping it simple with just the public IP addresses. Other VPNs such as PPTP are more commonly used from internal workstations. PPTP will pass through two* layers of NAT at each end without special provision being made, apart from forwarding of course. *Presumably unlimited layers, but I've actually done two at each end. I don't like commenting on any communications method until I've made it work myself. I've had a certain amount of trouble with IPSec, though to be fair that was in the days when most router manufacturers were still getting the hang of connection tracking. There was plenty of early NAT router firmware which didn't even handle PPTP well. -- Joe
