s/wan I think is the package for the older 2.0.x kernels. I'll try
searching my old bookmarks tonight or tomorrow when I get the other
machines up and find a link for something similair for the newer kernels.
Thanks,
Ron DuFresne
On Sat, 4 Mar 2000, Bob Dolliver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You simply have to open port 500 for on the Linux box. Joel is
> correct as well with the NAT issues. By the way the Nortel client
> supports Linux s/wan for branch to branch tunneling, so you could
> tunnel from your Linux platform to the Contivity switch. You don't
> need the client in that case.
>
> Regards
> Robert E Dolliver
> Senior Technical Instructor
> Nortel Networks
>
>
> - -----Original Message-----
> From: Joel M Snyder [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, March 04, 2000 10:46 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: VPN software behind ipchains
>
>
> >Does anyone know how to make the Nortel Extranet VPN software work
> >from behind an ipchains Linux firewall? Is this doable or am I
> >stuck? The software is based on IPSEC encryption.
>
> I don't know what ipchains is, but it's probably doing NAT or PAT.
>
> It is inherent in the design of IPSEC that most post-IPSEC NAT (i.e.,
> NAT-ing after the IPSEC operation) will break IPSEC. The one case
> which
> can work, possibly, is ESP in tunnel mode. However, almost all
> cases of post-IPSEC NAT break IKE, which means that you can't
> establish
> keys, so it doesn't matter if ESP will work. (you could, of course,
> do manual SPI/keys, but if so why bother with IPSEC---you might as
> well use something a lot less secure like PPTP, which doesn't care
> about
> NAT). Changing IP address definitely breaks pre-shared secrets and
> will probably break certs,
> depending on how you are binding the certificate to the client and
> how
> secure (read: anal-retentive) your vendor is.
>
> Short answer: you're stuck (assuming that what ipchains does is NAT).
> If
> ipchains does PAT, you're definitely stuck; nothing will work,
> period.
>
> jms
>
>
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
> [EMAIL PROTECTED] http://www.opus1.com/jms Opus One
>
> - -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBOMFO79nLJI1E8BiVEQL/UwCgqCYVyq/hK9Qe0LGzzEeTefDUxF8AoL6z
> svKpBL5OQ3PON0hXyPzpv2eC
> =Ou+W
> -----END PGP SIGNATURE-----
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
