On Saturday 09 November 2002 10:07, Michael D. Schleif wrote: > I was wondering if there was a way to define > leftsubnet=_a_string_of_many_disparate_networks_ -- apparently not?
I don't believe the ipsec script will interpret a string other than the "expected" single entry, so I don't believe so from memory. > Unfortunately, Andre wants us to do "ipsec before nat" or "nat > between gateways". > > By-the-by, the reason that the /21 subnet is commented out is this > link's suggestion: "omit the leftsubnet= parameter". The ipsec before NAT has generally been the "highly suggested" method for the reason of not exposing the VPN gateway to the internet. The only change necessary to do this is the forwarding of the proto's/ports for ipsec to the gateway from the firewall. I wouldn't think that you would want to drop the leftsubnet= option from the file, only move it from the %default section to individual connection definitions (tunnels) for each subnet as Charles suggested. I'm hoping you've got it up by now... sorry for the late reply! -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
