Hm, just for reference, my original problem was a machine behind a masquerading firewall which was behind another masquerading firewall (Charter cable). Would NAT traversal work with that? Thanks, Jon
[EMAIL PROTECTED] wrote: > > Aha, I stand corrected. > SSH Sentinel and other IPSec clients for Windows claim to have > NAT traversal working, also the company that supplies > IPSec to Cisco. > > At this time however, I believe NAT traversal is experimental or > in development at FreeSWAN. > > I'll try to keep current. Thanx. > > "Eric B Kiser" <[EMAIL PROTECTED]> on 06/21/2002 03:12:27 PM > > To: Phillip Watts/austin/Nlynx@Nlynx > cc: > > Subject: RE: [leaf-user] Double Private Network / FreeS/WAN problem > > Whoa there, > > I am running a NAT'd client that connects via IPsec through my Bering > Firewall everyday. > > NT4.0 box w/IPsec clnt >> Bering doin NAT >> Internet >>IPsec Server > > If you are running short term connection (establish tunnel, check mail, tear > down tunnel) you do not even need to modify shorewall. For maintaining IPsec > tunnels of longer duration Tom Eastep reccomended adding these rules. > > ACCEPT net loc:<local endpoint ip> udp 500 - all > ACCEPT net loc:<local endpoint ip> 50 - - all > > The problem that I am aware of is establishing more than one tunnel through > the NAT'd connection. > > Regards, > Eric > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, June 21, 2002 1:41 PM > To: Jonathan French > Cc: [EMAIL PROTECTED] > Subject: Re: [leaf-user] Double Private Network / FreeS/WAN problem > > Without looking at this in any depth, it appears you are trying to > ipsec from behind a NAT router and I don't believe that will work. > Why will Charter not hand out a public address ? > Maybe you should inquire. Then you'd have to , if i'm right, not do nat > on the Dlink. > > IPSec is, of course, they say, and are working on it, > NATable, but it is really designed > as a point to point tunnel, with subnets behind the endpoints. > > Jonathan French <[EMAIL PROTECTED]> on 06/21/2002 12:13:50 PM > > To: [EMAIL PROTECTED] > cc: (bcc: Phillip Watts/austin/Nlynx) > > Subject: [leaf-user] Double Private Network / FreeS/WAN problem > > Howdy, > > I've been setting up a VPN. One of my clients has a Charter Pipeline > internet connection at home, and wants to communicate with the LEAF box > at his work via FreeS/WAN. I got him a D-Link firewall box to stick > between his cable modem and his computer as an added layer of security. > Then I had him do a traceroute to www.yahoo.com so I could get his > "nexthop" information to configure /etc/ipsec.conf. From this file, I > noted: > > 1 192.168.0.1 {d-link box} > 2 10.d.e.f {Charter Pipeline gateway saving IP's!} > 3 24.205.g.h {a real IP that can be pinged from the outside world} > 4 {and so forth to www.yahoo.com} > > So his network looks like: > > 192.168.0.115 {internal machine address} > | > | > 192.168.0.1 {d-link internal address} > 10.a.b.c {d-link external address} > | > | > 10.d.e.f {Charter cable internal gateway} > 24.205.g.h {Charter cable external gateway - pingable from outside} > > Charter Pipeline is apparently saving money by using IP masquerading > themselves. This leaves me with a problem defining "right / > rightnexthop / rightsubnet" in /etc/ipsec.conf. Any ideas? > > Thanks, > Jon > > ------------------------------------------------------- > Sponsored by: > ThinkGeek at http://www.ThinkGeek.com/ > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > ------------------------------------------------------- > Sponsored by: > ThinkGeek at http://www.ThinkGeek.com/ > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > ------------------------------------------------------- > Sponsored by: > ThinkGeek at http://www.ThinkGeek.com/ > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html