-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You simply have to open port 500 for on the Linux box. Joel is
correct as well with the NAT issues. By the way the Nortel client
supports Linux s/wan for branch to branch tunneling, so you could
tunnel from your Linux platform to the Contivity switch. You don't
need the client in that case.
Regards
Robert E Dolliver
Senior Technical Instructor
Nortel Networks
- -----Original Message-----
From: Joel M Snyder [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 04, 2000 10:46 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: VPN software behind ipchains
>Does anyone know how to make the Nortel Extranet VPN software work
>from behind an ipchains Linux firewall? Is this doable or am I
>stuck? The software is based on IPSEC encryption.
I don't know what ipchains is, but it's probably doing NAT or PAT.
It is inherent in the design of IPSEC that most post-IPSEC NAT (i.e.,
NAT-ing after the IPSEC operation) will break IPSEC. The one case
which
can work, possibly, is ESP in tunnel mode. However, almost all
cases of post-IPSEC NAT break IKE, which means that you can't
establish
keys, so it doesn't matter if ESP will work. (you could, of course,
do manual SPI/keys, but if so why bother with IPSEC---you might as
well use something a lot less secure like PPTP, which doesn't care
about
NAT). Changing IP address definitely breaks pre-shared secrets and
will probably break certs,
depending on how you are binding the certificate to the client and
how
secure (read: anal-retentive) your vendor is.
Short answer: you're stuck (assuming that what ipchains does is NAT).
If
ipchains does PAT, you're definitely stuck; nothing will work,
period.
jms
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
[EMAIL PROTECTED] http://www.opus1.com/jms Opus One
- -
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQA/AwUBOMFO79nLJI1E8BiVEQL/UwCgqCYVyq/hK9Qe0LGzzEeTefDUxF8AoL6z
svKpBL5OQ3PON0hXyPzpv2eC
=Ou+W
-----END PGP SIGNATURE-----
