You may have a look at
http://sites.inka.de/sites/bigred/devel/cipe.html
It does exactly what you describe at least if you can either use it on the
firewall-machines directly (which means they must be linux-routers) or if you
have 2 additional official IPs or if these firewalls-routers support UDP
masquarading and forwarding (1).
(If you don't need or not allowed to use strong encryption - you can use cipe
even without encryption).
CIPE has some very convenient features and can even be used if the machine
initiating the tunnel has dynamic IPs.
We use it since month without any problems.
CIPE uses UDP for encapsulation. This has big advantages compared to ppp over
ssh. See http://sites.inka.de/~bigred/devel/tcp-tcp.html ppp over ssh is bad.
(1): CIPE can not run on firewall, but firewalls are able to do the following:
translate outgoing packets for
(sip, sport, dip, dport)
to
(ownip, ownfixport, dip, dport)
and incoming packets
(sip, sport, ownip, owndixport)
to
(sip, sport, dip, dport)
Then the following is possible:
c1 ---- a ------------------------ b ----- c2
A Internet B
c1: cipe-endpoint in net A, private ip ipc1
c2: cipe-endpoint in net B, private ip ipc2
a: firewall net A, official ip ipa
b: firewall net B, official ip ipb
We configure a to translate
(c1-ip, 1000, x, y) to (a-ip, 9000, x, y) for outgoing packets
(x, y, a-ip, 9000) to (x, y, c1-ip, 1000) for incoming packets
and b to translate
(c2-ip, 1000, x, y) to (b-ip, 9000, x, y) for outgoing packets
(x, y, b-ip, 9000) to (x, y, c2-ip, 1000) for incoming packets
CIPE on c1 must be configured in this case:
...
me c1-ip:1000
peer b-ip:9000
...
and CIPE on c2:
...
me c2-ip:1000
peer a-ip:9000
Wolfgang Walter
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
