On Monday 08 April 2002 6:37 pm, Glover George wrote: > > I need to add a VPN client( AH+ESP) behind my personal Linux > > gateway. But the old IP Masquerade on Kernel 2.2 does not > > support this. So I am thinking to upgrade to the "iptables", > > if it is able to do the following: > > > > 1. Masquerading VPN traffic (AH+ESP) > > Although I haven't done it, I believe there's a lot of discussion on > ipsec's list about it. It may be tough, but I believe it can be done.
Yes, it can be done - I've done it with FreeS/WAN - it needs absolutely nothing special on the IPtables machine at all - either just NAT everything (this automatically includes TCP, UDP, ESP, ICMP.....) or else make sure that you're natting UDP port 500 (IKE) and protocols 49 & 50 (AH & ESP). The trick is in getting the two IPsec machines to talk to each other, and I found the easiest way to do that was to tell each one what its own IP address was (the real IP address on the machine), but tell it the translated address of the other machine (ie the address it can be contacted on from the first one). That way both machines know who they are themselves, and they both know how to contact the other. The NAT in the middle just makes sure the packets get there. There are some good tutorials at the FreeS/WAN website which I used to get this going - it's just a matter of finding the example which most closely matches your needs and then going from there. Good luck :-) Antony.
