Don't know, never done it. Don't know how NAT traversal works.
The concept that IPSec would not work thru NAT has never made
sense to me.
But I would think if it will work thru one upstream NAT router
it would work thru two.
Sorry, NAT traversal has not been an issue for me up to this
point, so I just haven't spent any time on it.
Jonathan French <[EMAIL PROTECTED]> on 06/21/2002 06:08:37 PM
To: Phillip Watts/austin/Nlynx@Nlynx
cc: Eric B Kiser <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: [leaf-user] Double Private Network / FreeS/WAN problem
Hm, just for reference, my original problem was a machine behind a
masquerading firewall which was behind another masquerading firewall
(Charter cable). Would NAT traversal work with that?
Thanks,
Jon
[EMAIL PROTECTED] wrote:
>
> Aha, I stand corrected.
> SSH Sentinel and other IPSec clients for Windows claim to have
> NAT traversal working, also the company that supplies
> IPSec to Cisco.
>
> At this time however, I believe NAT traversal is experimental or
> in development at FreeSWAN.
>
> I'll try to keep current. Thanx.
>
> "Eric B Kiser" <[EMAIL PROTECTED]> on 06/21/2002 03:12:27 PM
>
> To: Phillip Watts/austin/Nlynx@Nlynx
> cc:
>
> Subject: RE: [leaf-user] Double Private Network / FreeS/WAN problem
>
> Whoa there,
>
> I am running a NAT'd client that connects via IPsec through my Bering
> Firewall everyday.
>
> NT4.0 box w/IPsec clnt >> Bering doin NAT >> Internet >>IPsec Server
>
> If you are running short term connection (establish tunnel, check mail, tear
> down tunnel) you do not even need to modify shorewall. For maintaining IPsec
> tunnels of longer duration Tom Eastep reccomended adding these rules.
>
> ACCEPT net loc:<local endpoint ip> udp 500 - all
> ACCEPT net loc:<local endpoint ip> 50 - - all
>
> The problem that I am aware of is establishing more than one tunnel through
> the NAT'd connection.
>
> Regards,
> Eric
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> [EMAIL PROTECTED]
> Sent: Friday, June 21, 2002 1:41 PM
> To: Jonathan French
> Cc: [EMAIL PROTECTED]
> Subject: Re: [leaf-user] Double Private Network / FreeS/WAN problem
>
> Without looking at this in any depth, it appears you are trying to
> ipsec from behind a NAT router and I don't believe that will work.
> Why will Charter not hand out a public address ?
> Maybe you should inquire. Then you'd have to , if i'm right, not do nat
> on the Dlink.
>
> IPSec is, of course, they say, and are working on it,
> NATable, but it is really designed
> as a point to point tunnel, with subnets behind the endpoints.
>
> Jonathan French <[EMAIL PROTECTED]> on 06/21/2002 12:13:50 PM
>
> To: [EMAIL PROTECTED]
> cc: (bcc: Phillip Watts/austin/Nlynx)
>
> Subject: [leaf-user] Double Private Network / FreeS/WAN problem
>
> Howdy,
>
> I've been setting up a VPN. One of my clients has a Charter Pipeline
> internet connection at home, and wants to communicate with the LEAF box
> at his work via FreeS/WAN. I got him a D-Link firewall box to stick
> between his cable modem and his computer as an added layer of security.
> Then I had him do a traceroute to www.yahoo.com so I could get his
> "nexthop" information to configure /etc/ipsec.conf. From this file, I
> noted:
>
> 1 192.168.0.1 {d-link box}
> 2 10.d.e.f {Charter Pipeline gateway saving IP's!}
> 3 24.205.g.h {a real IP that can be pinged from the outside world}
> 4 {and so forth to www.yahoo.com}
>
> So his network looks like:
>
> 192.168.0.115 {internal machine address}
> |
> |
> 192.168.0.1 {d-link internal address}
> 10.a.b.c {d-link external address}
> |
> |
> 10.d.e.f {Charter cable internal gateway}
> 24.205.g.h {Charter cable external gateway - pingable from outside}
>
> Charter Pipeline is apparently saving money by using IP masquerading
> themselves. This leaves me with a problem defining "right /
> rightnexthop / rightsubnet" in /etc/ipsec.conf. Any ideas?
>
> Thanks,
> Jon
>
> -------------------------------------------------------
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> ------------------------------------------------------------------------
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
>
> -------------------------------------------------------
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> ------------------------------------------------------------------------
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
>
> -------------------------------------------------------
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> ------------------------------------------------------------------------
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
