1. Simple Communication topology:
Use the Windows platform as a gateway to turn on IPSec and Nat at the same time to support private and public communication.
Note: There is no NAT between IPSec Gateway and Client1 IPSec, otherwise it is the second case. is irrelevant to the descriptive narrative of this article. This article is just a work note. Does not mean any official statement whatsoever.
2. Description of the phenomenon:
A. Enable nat,but Disbale Ipsec.
Ping from 11.11.11.45 to 10.10.10.20 ok!
B. Enable Ipsec tunnel, Disable NAT
Ping from 11.11.11.45 to 10.10.10.20 ok!
C. Enable NAT and IPSec tunnel
Ping from 11.11.11.45 to 10.10.10.20 fail.
When I received this bug, I thought there was a problem with the customer network. Since both NAT and IPSec are very mature module. However, this bug has really been reproduced, so I started a lot of source tracking and mode.
3. Results:
After a lot of code analysis, this is a compatibility bug.
However, only ICMP packets are affected. As a result, TCP and UDP packets do not get affected and can communicate properly. So everyone Windows user Note: Assume the above network environment. Clientping different gateways, not network reasons, except for ICMP data, the communication of other protocols is not affected.
4, Reason brief:
The detailed reason relates to the source code, is not elaborated.
??????
about Windows Gateway Ipsec and NAT compatibility issues