RE: [suse-security] VPN masquerading
From: Alexander Gretha [mailto:alexander.gretha@irboard.net]
thanks for your help, but as far as i see these settings are for a vpn endpoint *at* the firewall (firewall == vpn server, otherwise i wouldn't have an ipsec0 interface (or am i missing something)). what i try to achieve is forward the vpn to a masqueraded server (i.e. a server with a private ip address). the variant vpn server == firewall would work, but sadly is not an option for our configuration.
if only one vpn-endpoint is in a NATted Network, then its easy, as long as the implementation of the NAT allows correct mangling of ESP. But the vpn has to be initiated by the NATted host. If both endpoints or at least the 'receiving' one is NATted it's a bit more complicated. FreeS/WAN by itself doesn't allow this but there is a patch at http://open-source.arkoon.net that allows NAT-Traversal. At http://www.freeswan.ca you can even get pre-patched versions of FreeS/WAN. I never tried this patch so I can't tell you if and how it works. hope this helps a bit further Andreas
participants (1)
-
Andreas Marbet