Ping,
To help get your configuration working correctly sooner, could you please follow the "SR" Link at the bottom of this post and send a ANSII diagram and complete description of exactly what you are trying to setup? I'm wondering if some terminology confusion is going on here and this information would expediate a better answer to your problem for those of us working the mailing list. ~Thanks (more comments inline). On Thursday 27 June 2002 11:02, Ping Kwong wrote: > Ok, are you saying that because of the kernel that I'm using now that > the network modules aren't loading properly? 'm guessing that isn't > so. I really don't know. Other than stripping some stock modules from Dachstein Floppy v1.0.2, none of the modules package and utilities have been modified. IPSec-passthrough is where the firewall does nothing but allow an IPSec connection through the firewall.... the firewall does no processing of the packet other than route. Thus a non-IPSec patched kernel is necessary.... like the standard Dachstein floppy image. > From what I'm reading, should you be providing an image that > does IPSEC through a registered IP (current one) and private IP (what > most home LRP users are doing now). While I'm at it, I thought I > spotted some things that needed correcting in your document. Yes, it processes (encrypts) the information from a regular TCP/IP LAN network and sends it to a remote Host or IPSec gateway and the opposite for information being sent via IPSec from a remote Host or gateway. All setup and authentication is being done on the Gateway (firewall), not through an IPSec-client behind the firewall (which would be pass-through). > ------------------------------- > ESP (protocol 50) is called as "transport" mode and is used for > Host-to-Host > connections. AH (protocol 51) is called as "tunnel" mode and is used > for any connection that connects to a Subnet. Tunnel mode is the only > method that will work through NAT. ^^^^^^ > > Shouldn't that be Transport rather than tunnel? If you use Transport on a IPSec Gateway, none of the computers behind the Gateway can use the VPN connection... only the Gateway itself. The Gateway would be acting as a stand-alone Host, instead of a Gateway with this connection type. This is what you would configure on a Road-Warrior computer (remote Laptop or home box to connect to a work network). The tunnel method allows NAT'ed clients behind the Gateway to participate in the tunnel, but the Gateway cannot send information through the tunnel (which is what a gateway does). Maybe I should change the "through NAT." to "with a NAT'ed subnet." > 4) FIREWALL PASS-THROUGH > > This type of connection is very often the most confusing. This is > used where a remote computer behind a firewall connects to a remote > network or computer. The firewall is configured to allow the > connection, but does not participate or authenticate. > > To setup this type of connection: > 1) open the protocols 50 and 51 on your firewall > 2) open port 500 on your firewall > 3) load the ip_masq_ipsec.o module and add it to /etc/modules > ^^^^ > > I think this should be /lib/modules. On LEAF 2.2.x releases, the ip_masq_ipsec.o module is already included in the stock images (sans the releases with IPSec-patched kernels that the module wouldn't work with anyway). All you need to do to get IPSec- passthrough working with these stock images is declare the module in /etc/modules to load it at boot. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Bringing you mounds of caffeinated joy. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
