Aha, I stand corrected.
SSH Sentinel and other IPSec clients for Windows claim to have
NAT traversal working, also the company that supplies
IPSec to Cisco.
At this time however, I believe NAT traversal is experimental or
in development at FreeSWAN.
I'll try to keep current. Thanx.
"Eric B Kiser" <[EMAIL PROTECTED]> on 06/21/2002 03:12:27 PM
To: Phillip Watts/austin/Nlynx@Nlynx
cc:
Subject: RE: [leaf-user] Double Private Network / FreeS/WAN problem
Whoa there,
I am running a NAT'd client that connects via IPsec through my Bering
Firewall everyday.
NT4.0 box w/IPsec clnt >> Bering doin NAT >> Internet >>IPsec Server
If you are running short term connection (establish tunnel, check mail, tear
down tunnel) you do not even need to modify shorewall. For maintaining IPsec
tunnels of longer duration Tom Eastep reccomended adding these rules.
ACCEPT net loc:<local endpoint ip> udp 500 - all
ACCEPT net loc:<local endpoint ip> 50 - - all
The problem that I am aware of is establishing more than one tunnel through
the NAT'd connection.
Regards,
Eric
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, June 21, 2002 1:41 PM
To: Jonathan French
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Double Private Network / FreeS/WAN problem
Without looking at this in any depth, it appears you are trying to
ipsec from behind a NAT router and I don't believe that will work.
Why will Charter not hand out a public address ?
Maybe you should inquire. Then you'd have to , if i'm right, not do nat
on the Dlink.
IPSec is, of course, they say, and are working on it,
NATable, but it is really designed
as a point to point tunnel, with subnets behind the endpoints.
Jonathan French <[EMAIL PROTECTED]> on 06/21/2002 12:13:50 PM
To: [EMAIL PROTECTED]
cc: (bcc: Phillip Watts/austin/Nlynx)
Subject: [leaf-user] Double Private Network / FreeS/WAN problem
Howdy,
I've been setting up a VPN. One of my clients has a Charter Pipeline
internet connection at home, and wants to communicate with the LEAF box
at his work via FreeS/WAN. I got him a D-Link firewall box to stick
between his cable modem and his computer as an added layer of security.
Then I had him do a traceroute to www.yahoo.com so I could get his
"nexthop" information to configure /etc/ipsec.conf. From this file, I
noted:
1 192.168.0.1 {d-link box}
2 10.d.e.f {Charter Pipeline gateway saving IP's!}
3 24.205.g.h {a real IP that can be pinged from the outside world}
4 {and so forth to www.yahoo.com}
So his network looks like:
192.168.0.115 {internal machine address}
|
|
192.168.0.1 {d-link internal address}
10.a.b.c {d-link external address}
|
|
10.d.e.f {Charter cable internal gateway}
24.205.g.h {Charter cable external gateway - pingable from outside}
Charter Pipeline is apparently saving money by using IP masquerading
themselves. This leaves me with a problem defining "right /
rightnexthop / rightsubnet" in /etc/ipsec.conf. Any ideas?
Thanks,
Jon
-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
