Hm, just for reference, my original problem was a machine behind a
masquerading firewall which was behind another masquerading firewall
(Charter cable).  Would NAT traversal work with that?
        Thanks, 
        Jon

[EMAIL PROTECTED] wrote:
> 
> Aha,  I stand corrected.
> SSH Sentinel and other IPSec clients for  Windows claim to have
> NAT traversal working, also the company that supplies
> IPSec to Cisco.
> 
> At this time however, I believe NAT traversal is experimental or
> in development at FreeSWAN.
> 
> I'll try to keep current.   Thanx.
> 
> "Eric B Kiser" <[EMAIL PROTECTED]> on 06/21/2002 03:12:27 PM
> 
> To:   Phillip Watts/austin/Nlynx@Nlynx
> cc:
> 
> Subject:  RE: [leaf-user] Double Private Network / FreeS/WAN problem
> 
> Whoa there,
> 
> I am running a NAT'd client that connects via IPsec through my Bering
> Firewall everyday.
> 
> NT4.0 box w/IPsec clnt >> Bering doin NAT >> Internet >>IPsec Server
> 
> If you are running short term connection (establish tunnel, check mail, tear
> down tunnel) you do not even need to modify shorewall. For maintaining IPsec
> tunnels of longer duration Tom Eastep reccomended adding these rules.
> 
> ACCEPT net loc:<local endpoint ip> udp 500 - all
> ACCEPT net loc:<local endpoint ip> 50  -   - all
> 
> The problem that I am aware of is establishing more than one tunnel through
> the NAT'd connection.
> 
> Regards,
> Eric
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> [EMAIL PROTECTED]
> Sent: Friday, June 21, 2002 1:41 PM
> To: Jonathan French
> Cc: [EMAIL PROTECTED]
> Subject: Re: [leaf-user] Double Private Network / FreeS/WAN problem
> 
> Without looking at this in any depth, it appears you are trying to
> ipsec from behind a NAT router and I don't believe that will work.
> Why will Charter not hand out a public address ?
> Maybe you should inquire.  Then you'd have to , if i'm right, not do nat
> on the Dlink.
> 
> IPSec is, of course, they say, and are working on it,
> NATable, but it is really designed
> as a point to point tunnel, with subnets behind the endpoints.
> 
> Jonathan French <[EMAIL PROTECTED]> on 06/21/2002 12:13:50 PM
> 
> To:   [EMAIL PROTECTED]
> cc:    (bcc: Phillip Watts/austin/Nlynx)
> 
> Subject:  [leaf-user] Double Private Network / FreeS/WAN problem
> 
> Howdy,
> 
> I've been setting up a VPN.  One of my clients has a Charter Pipeline
> internet connection at home, and wants to communicate with the LEAF box
> at his work via FreeS/WAN.  I got him a D-Link firewall box to stick
> between his cable modem and his computer as an added layer of security.
> Then I had him do a traceroute to www.yahoo.com so I could get his
> "nexthop" information to configure /etc/ipsec.conf.  From this file, I
> noted:
> 
> 1  192.168.0.1 {d-link box}
> 2  10.d.e.f    {Charter Pipeline gateway saving IP's!}
> 3  24.205.g.h  {a real IP that can be pinged from the outside world}
> 4  {and so forth to www.yahoo.com}
> 
> So his network looks like:
> 
> 192.168.0.115 {internal machine address}
>                  |
>                  |
> 192.168.0.1 {d-link internal address}
> 10.a.b.c    {d-link external address}
>                  |
>                  |
> 10.d.e.f    {Charter cable internal gateway}
> 24.205.g.h  {Charter cable external gateway - pingable from outside}
> 
> Charter Pipeline is apparently saving money by using IP masquerading
> themselves.  This leaves me with a problem defining "right /
> rightnexthop / rightsubnet" in /etc/ipsec.conf.  Any ideas?
> 
> Thanks,
> Jon
> 
> -------------------------------------------------------
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> ------------------------------------------------------------------------
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
> 
> -------------------------------------------------------
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> ------------------------------------------------------------------------
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
> 
> -------------------------------------------------------
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> ------------------------------------------------------------------------
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to