On Tue, Feb 26, 2002 at 10:55:22PM -0600, Alan Mead wrote: : I was *not* able to use an IPSec VPN client with : the old (2.2-based) LEAF but I am told that the new versions include needed : kernel support. The problem with these sorts of protocols is that they are : encrypted. So the internal IP gets stuffed into a packet, then the packet : is rendered opaque, then wrapped in a second packet and sent out... the NAT : router rewrites the IP on the second packet but cannot access the encrypted : payload.
That's not why at all, unless your VPN uses AH. AH is an almost completely useless part of IPSec. You get the same benefits by using ESP with a null cipher - and get the other benefits that ESP adds. The old kernels used to mangle the source port of IKE packets, causing confusion. The netfilter code is smart enough not to do this. Once your IKE SA's are up, ESP with NAT is trivial, at least for the situation of using only one client behind the firewall. If you need to have multiple clients behind the firewall, your client will have to implement some sort of encapsulation, usually UDP or GRE based. This is very common with IPSec clients. -- Jason Costomiris <>< | Technologist, geek, human. jcostom {at} jasons {dot} org | http://www.jasons.org/ Quidquid latine dictum sit, altum viditur. My account, My opinions. _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list