----- Original Message ----- From: "Charles Steinkuehler" <[EMAIL PROTECTED]>
> Anyway, in addition to loading the ip_masq_ipsec.o module, you'll need > to properly configure your VPN description on both ends. This can get > to be a bit confusing, since you need to load the IP address of your > firewall, rather than your laptop, in a couple of places. That's > probably why the IKE exchange, which uses already masqueraded UDP 500 > traffic is failing. > > Look over the VPN Masquerade HOWTO, make sure you're using the right > kernel, and holler if you run into problems getting everything working. > http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html > Hmmm, that was the document I was reading, and it left me thoroughly confused! I'm not even entirely sure whether my set-up is a private- or ip-registered network (the laptop gets its IP addr from the firewall, the firewall by dhcp from my ISP, and the VPN server is a fixed address). I'll try reading through it again and try to piece it together. It may be that a major fault was me specfying the laptop's IP address instead of the firewall's - is that the 'upstream' (internet) address, or the local one (192.....)? > One more WARNING: You will not be able to masquerade AH (Authenticated > Header...protocol 51) VPN Traffic, if that's what your IPSec client is > setup to use. This protocol authenticates *EVERYTHING* in the IP > packet, including the IP header (with it's source and destination IP's), > so masquerading (which replaces the source and/or destination IP field > in the header) invalidates the packets. The more commenly used ESP > (protocol 50) only authenticates the data portion of the IP packet, and > can be successfully masqueraded. Don't know if it uses AH or ESP, but the client has a logging option, so if I can at least it get through the initial IKE exchange, then that'll be something - I may even know what I'm doing by then. Is there a simple set of steps which will just open up the firewall completely, just so I can check it with the loosest possible configuration before tightening up to specific addresses? ------------------------------------------------------- This SF.NET email is sponsored by: Order your Holiday Geek Presents Now! Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap, MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
