Robert,
Free S/WAN works with the Nortel contivity? That is great news.. I have been
trying to get the switch to work with OpenBSD 2.6 with no luck.. Do you have
any pointers to docs on how to make one or both work? Is there any more
technical Nortel documentation available? The docs that come with the switch
are pretty basic.
I have heard that Nortel will be releasing a client for Linux and Solaris.. Can
you confirm or deny this? ;-)
I am the product manager for the Contivity at a "large company that makes
airplanes".
acs
On 04-Mar-00 Bob Dolliver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You simply have to open port 500 for on the Linux box. Joel is
> correct as well with the NAT issues. By the way the Nortel client
> supports Linux s/wan for branch to branch tunneling, so you could
> tunnel from your Linux platform to the Contivity switch. You don't
> need the client in that case.
>
> Regards
> Robert E Dolliver
> Senior Technical Instructor
> Nortel Networks
>
>
> - -----Original Message-----
> From: Joel M Snyder [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, March 04, 2000 10:46 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: VPN software behind ipchains
>
>
>>Does anyone know how to make the Nortel Extranet VPN software work
>>from behind an ipchains Linux firewall? Is this doable or am I
>>stuck? The software is based on IPSEC encryption.
>
> I don't know what ipchains is, but it's probably doing NAT or PAT.
>
> It is inherent in the design of IPSEC that most post-IPSEC NAT (i.e.,
> NAT-ing after the IPSEC operation) will break IPSEC. The one case
> which
> can work, possibly, is ESP in tunnel mode. However, almost all
> cases of post-IPSEC NAT break IKE, which means that you can't
> establish
> keys, so it doesn't matter if ESP will work. (you could, of course,
> do manual SPI/keys, but if so why bother with IPSEC---you might as
> well use something a lot less secure like PPTP, which doesn't care
> about
> NAT). Changing IP address definitely breaks pre-shared secrets and
> will probably break certs,
> depending on how you are binding the certificate to the client and
> how
> secure (read: anal-retentive) your vendor is.
>
> Short answer: you're stuck (assuming that what ipchains does is NAT).
> If
> ipchains does PAT, you're definitely stuck; nothing will work,
> period.
>
> jms
>
>
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
> [EMAIL PROTECTED] http://www.opus1.com/jms Opus One
>
> - -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBOMFO79nLJI1E8BiVEQL/UwCgqCYVyq/hK9Qe0LGzzEeTefDUxF8AoL6z
> svKpBL5OQ3PON0hXyPzpv2eC
> =Ou+W
> -----END PGP SIGNATURE-----
_______________________
Aaron C. Springer
[EMAIL PROTECTED]
pgp key published
_______________________
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
