I've read on phoneboy udp is the way to go, unfortunately my net admin says it's impossible on our network..
Now whether this is an 'admin impossible' i.e. can't be bothered, or real-world limitation of our hardware is another matter :) -----Original Message----- From: Jason Costomiris [mailto:[EMAIL PROTECTED]] Sent: 09 April 2002 22:55 To: Jonathan Hodd Cc: '[EMAIL PROTECTED]' Subject: Re: ip50, NAT, SecuRemote Client On Mon, Apr 08, 2002 at 09:40:49AM +0100, Jonathan Hodd wrote: : My iptables firewall isn't NATing ip50 packets, so the vpn firewall at work : is reporting my internal ip address once i'm authenticated. : (pre-authentication, i appear as the correct external ip) : : I'm not loading any additional modules, and my NAT rules are: : : $IPTABLES -t nat -A POSTROUTING -o eth0 -s $INT_IP -j SNAT --to $EXT_IP : $IPTABLES -t nat -A PREROUTING -i eth0 -d $EXT_IP -j DNAT --to $INT_IP : : I have a block of ips, so i'm not masquerading, just doing a 1:1 translation : for each of my machines to a different external address. : : Is the NATing of ip50 packets actually possible? Sure, proto 50 is ESP which can be NAT'd. : if yes, what do i need to do/where do i need to look to find out : if no, how can i keep my vpn client behind the firewall and still use it? You'll find SecuRemote and SecureClient are best behaved in a NAT environment when you force the client into UDP-encapsulation mode. I use SecureClient NG to talk to a VPN-1 4.1 SecuRemote gateway every day for work and have yet to have any trouble.... -- Jason Costomiris <>< | Technologist, geek, human. jcostom {at} jasons {dot} org | http://www.jasons.org/ Quidquid latine dictum sit, altum viditur. My account, My opinions.
