19 Apr
2013
19 Apr
'13
12:59 a.m.
Hi,
IPIP can not traverse NAT because first of all it uses proto 4 (encap) and
not TCP or UDP, so contrack, which manages NAT traversal does not support
it.
In a NAT situation, incoming connections not triggered from the inside don't
get translated, since the NAT doesn't know the originator.
Being a stateless point to multipoint communication, you do not have a
"inside" originated connection for all connections. It is expected that NAT
knows where to forward a data packet by using information from the original
outgoing connection (established and related packets are sent to the
internal originating ip ), which is not the case for IPIP since incoming
data from another host (we have a mesh architecture) has no corresponding
outgoing connection.
On the other hand, in OpenVPN, if the server is located outside, all
connections are stateful and trackable by contrack, being a single IP
endpoint on port 1194 originated inside, so NAT traversal is as simple as
any connection originated locally.
Marius, YO2LOJ