Hi Eric, Here are two main points about IP/Sec, which is the problem you are having.
* IP/Sec can be configured in two methods, Endpoint and Tunnel. * The IP address of the encrypting computer is used in the encryption algorithm. (So it cannot be modified). I believe that most people who are using ipsec.lrp are using it as a tunnel between two LRP boxes. This allows all traffic flowing between two segments, separated by the Internet to be encrypted. In this case, both computers have non-translated(non-masq'ed), public addresses, but the computers on the segment can have translated addresses, since they are doing the encryption. The other method of using IP/Sec is endpoints. If you Lan is not using a tunnel to create a secure connection, then an individual host can; but, that host must have a public, non-translated address as that would invalidate the encrpytion. In your case, that is why your system works when plugged directly into, but not when translated. Your department was correct about the ports, but that would only apply if you were using a non-translating firewall. Most home users are not using these, but some corporate LANs are. I hope that helps, and if anybody has *first hand* knowledge that disagrees with this, please let me know. I teach security courses, and this has been true to the extent of my testing, but I haven't tried this with LRP or DCD. Cheers edt ----- Original Message ----- From: "Eric Friedman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 11, 2002 11:23 PM Subject: [Leaf-user] Connecting to my company's Win2k server via VPN with L2TP/IPsec > First, let me apologize if I get any (or all!) of the technical jargon > here confused, backwards, or just plain wrong. > > Second, let me describe my situation. I am using a Pentium 133mhz with > 16MB RAM to run Dachstein 1.0.2 to share my internet connection among > the numerous computers in my house. The router runs a DHCP server for > the computers on my internal network and runs a DHCP client to connect > with my ISP, but this is just for convienence as my ISP provides me with > a static IP. The computers (Win98, Win2k, and WinXP) on my internal > network all work flawlessly through the router for "normal" internet > access. > > My company provides access to its network over the Internet in the form > of a VPN (operated by a Windows 2000 Server, I believe). I connect to > this VPN using Windows 2000 Professional. All worked fine connecting to > the VPN through my home router until my company began using L2TP/IPsec > for the VPN connections. Now, I get no response from the company VPN > server when trying to connect. (Note, however, that I *can* connect > just fine when my computer is connected directly to my ISP, i.e. without > the interference of my LRP box. So my sense is that there are no > configuration problems on the client computer, but rather something > wrong with my LRP configuration.) > > Third, I know very little about Linux -- largely because I lack > experience -- but I was wondering if someone might point me in the right > direction on this problem. As an additional bit of information, a guy > in the IS department informed me that UDP ports 500 and 1701 would be > involved in the solution, but I am not certain how to act on this > information in configuring my router. > > I have begun to look at the ipsec.lrp package available for Dachstein, > but I have not been able to use it to solve my problems. I do not know, > however, if this is a fault in my configuration of the package or if the > package does not support Level 2 Tunneling (L2TP). > > If anyone has some experience in a similar situation or would be willing > to help a poor old guy trying to get his LRP box to work again, I would > much appreciate it. > > Thanks, > Eric Friedman > > > P.S. Please note as well that while I am currently running Dachstein off > of a single floppy, I also have access to a CD or additional floppy > drive that I could install in the router box. So do not worry about > offering solutions that may require more space than is available on a > single floppy: I just want something that will work. > > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
