On Tue, Feb 26, 2002 at 10:55:22PM -0600, Alan Mead wrote:
: I was *not* able to use an IPSec VPN client with
: the old (2.2-based) LEAF but I am told that the new versions include needed
: kernel support. The problem with these sorts of protocols is that they are
: encrypted. So the internal IP gets stuffed into a packet, then the packet
: is rendered opaque, then wrapped in a second packet and sent out... the NAT
: router rewrites the IP on the second packet but cannot access the encrypted
: payload.
That's not why at all, unless your VPN uses AH. AH is an almost completely
useless part of IPSec. You get the same benefits by using ESP with a null
cipher - and get the other benefits that ESP adds.
The old kernels used to mangle the source port of IKE packets, causing
confusion. The netfilter code is smart enough not to do this.
Once your IKE SA's are up, ESP with NAT is trivial, at least for
the situation of using only one client behind the firewall. If you need
to have multiple clients behind the firewall, your client will have
to implement some sort of encapsulation, usually UDP or GRE based. This
is very common with IPSec clients.
--
Jason Costomiris <>< | Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
