[Ipsec-tools-users] transport mode nat traversal

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hello,

I wish to use IPSEC in transport mode to encrypt traffic of one service
(this one can't do that himself) between two servers.
One is public (client) and the other is in private network behind a
gateway which is configured to do nat and firewall packets.
The idea is as soon as client application need talking with the server
side, kernel will ask racoon, by using setkey policy, to make
association with the computer behind the nat.

The gateway/nat/firewall redirect port 500 and 4500 (udp) to the server
private IP and the same for esp protocol.

I specify protocol and port to encrypt with setkey utility (spd rules)
and racoon daemon for generating keys and authentication role.

To be sure, I have tested it with virtual machine in the same network
(no gateway, nor nat) and it works well.
Here are spd rules from /etc/ipsec.conf for the client application :
spdadd 192.168.121.1[3308] 192.168.120.1[any] tcp
-P in ipsec
esp/transport/192.168.121.1-192.168.120.1/require;
spdadd 192.168.120.1[any] 192.168.121.1[3308] tcp
-P out ipsec
esp/transport/192.168.120.1-192.168.121.1/require;

And the correct one for the server side :
spdadd 192.168.120.1[any] 192.168.121.1[3308] tcp
-P in ipsec
esp/transport/192.168.120.1-192.168.121.1/require;
spdadd 192.168.121.1[3308] 192.168.120.1[any] tcp
-P out ipsec
esp/transport/192.168.121.1-192.168.120.1/require;

My question is : Does transport mode could work with nat traversal ?
If yes, how to configure racoon remote and ipsec spd rules ?

Best regards,