Andrew Suffield wrote: > On Tue, Feb 06, 2007 at 09:42:12PM -0800, Brian Neu wrote: >> OK, umm, tried NAT-T -- no good. It might be the Linksys clients, >> but they seem to support NAT-T in the documentation. > > For what it's worth, it's not just you - having trouble persuading > third party ipsec clients to work with NAT is normal. Some of them > just don't, some of them will only do it if you do things to them that > aren't documented.
To throw in my $0.02, I've been able to get Linux and FreeSWAN taking to Checkpoint and Cisco and Cisco talking to Checkpoint but I had to jump thru hoops within hoops to get it done. As standard IPSEC isn't. Seems like everybody has (or had, I haven't used it in about 4 years) their own proprietary version of it. IPSEC is, IMO, the token ring of tunneling and, frankly, I hope it shares the same fate. > (I am very happy that I no longer have to deal with ipsec in any form) If I believed in any gods I would thank then for every day I don't have to use IPSEC. >> I'm going to give installing on the firewall a shot, but that mucks >> up my architecture badly between owners of equipment in this data >> center. > > The 'right' workaround is to get another internet-routable IP address > assigned for the VPN server. Then you can keep it behind the firewall, > just don't NAT any of the ipsec traffic. My understanding is that this > is the approach taken by most people running large ipsec deployments, > because trying to get NAT to work reliably is such a pain. I have to agree. If both ends have routable addresses you can switch to AH which, IMO again, is more reliable and easier to work with. Especially between different implementations. > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier. > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
