Re: reverse processing order: NAT, IPsec ?

[Hans Rosenfeld <rosenfeld%grumpf.hope-2000.org@localhost>]

On Fri, Jun 12, 2009 at 11:28:37AM +0200, Hubert Feyrer wrote:
> I'm in a situation where I want to setup a router to translate (NAT) a  
> local network in a private network (assume both are /24), then send the  
> traffic over an IPsec tunnel to a vpn-gw router (Netscreen VPN, not under 
> my control):
>
>       local/24 =NAT=> private/24 ===tunnel===> vpn-gw
>
> I wonder how to get NAT & IPsec right here. With a "normal" DSL setup, I  
> configure ipf.conf so that the NAT is done on the outgoing interface, 
> i.e. pppo0, but I'm not sure what interface to use here: pppoe0 is 
> intended to send out IPsec traffic via the external network, as a 
> consequence the external interface looks even more wrong; specifying the 
> internal interface looks wrong as I'd expect translation to happen for 
> inbound traffic then only.
>
> What the general order of processing in this case? the NetBSD IPsec FAQ  
> says that IPsec is applied first[1], but what I want is to do NAT first,  
> then put the result through the IPsec mechanism.
>
> Does anyone have an idea how to achieve this?
>
> Note that the NAT is before the IPsec connection, so I'm pretty sure 
> NAT-T is not relevant here.

Could you use IPsec in transport mode and use a gif tunnel over that?
IIRC I read somewhere that this is functionally the same as IPsec tunnel
mode, and it would allow you to use NAT on the gif interface.

Hans