On Mon, Apr 08, 2002 at 09:40:49AM +0100, Jonathan Hodd wrote:
: My iptables firewall isn't NATing ip50 packets, so the vpn firewall at work
: is reporting my internal ip address once i'm authenticated.
: (pre-authentication, i appear as the correct external ip)
:
: I'm not loading any additional modules, and my NAT rules are:
:
: $IPTABLES -t nat -A POSTROUTING -o eth0 -s $INT_IP -j SNAT --to $EXT_IP
: $IPTABLES -t nat -A PREROUTING -i eth0 -d $EXT_IP -j DNAT --to $INT_IP
:
: I have a block of ips, so i'm not masquerading, just doing a 1:1 translation
: for each of my machines to a different external address.
:
: Is the NATing of ip50 packets actually possible?
Sure, proto 50 is ESP which can be NAT'd.
: if yes, what do i need to do/where do i need to look to find out
: if no, how can i keep my vpn client behind the firewall and still use it?
You'll find SecuRemote and SecureClient are best behaved in a NAT
environment when you force the client into UDP-encapsulation mode.
I use SecureClient NG to talk to a VPN-1 4.1 SecuRemote gateway every day
for work and have yet to have any trouble....
--
Jason Costomiris <>< | Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
