Next: Operating System clients Up: IPsec Previous: Kernel Space and Userspace
If a client is behind a NAT-firewall, IP packets are modified by the NAT-Device. This means that checksums concerning the IPsec packets would be incorrect. IPsec was originally not designed to work with NAT. Therefore NAT-Traversal extensions have been developed, to make IPsec work behind NAT devices. Clients and VPN-Server have to support NAT-T. Linux 2.6 supports NAT-T out of the box, whereas racoon at the time of writing supports only NAT-T in tunnel mode. Openswan supports tunnel and transport mode NAT-T, which is why openswan is the solution we are looking for.