Dear René, I don't believe IPSEC traverses NAT correctly, so unless your firewall was also the VPN tunneller, I don't think it works nicely. There's been some work on STUN, but I don't believe it co-exists nicely with 'double NAT' yet. Personally, I've been using CIPE. You are correct - you can get your firewall to redirect traffic to the VPN. That doubles the traffic to the inside of the firewall though. Ie, LAN -> FW -> VPN -> FW instead of LAN -> VPN -> FW Traffic doubling might not be a problem, and you may decide the extra traffic isn't a problem in your scenario and you'd rather have the simpler setup. (Especially as the LAN portion of your net is probably at least twice the speed of the link to your ISP. Don't know about the loading on your firewall though) Mark On Tue, 2003-08-12 at 14:51, René Matthäi wrote:
Hi,
Mark C. wrote:
[...]
All the machines on LAN-A have a route added:
10.2.0.0/255.255.255.0 via VPN-A Default route via FW-A
That's okay - but I don't understand right at this moment why this is neccessary. Can't the FW route the traffic to 10.2.0.0/255.255.0.0 (resp. the other addresses on LAN-B)?
FW-A is setup to forward appropriate ports to the VPN-A to allow the VPN to establish. Eg, with CIPE, just a single udp forwarding is needed.
[...]
I have this exact setup running perfectly fine. You might put a rule on both firewalls to block traffic to the other LAN (except from the VPN machine) from being NAT'd - this basically ensures you don't leak any information for a machine that's missing the right routing.
You talked of CIPE. Do you use CIPE or another solution? Do you think that a VPN with FTP and LDAP between two VPN GWs each inside a NATed intranet would be possible with IPSec implementations, e. g. FreeS/WAN?
My impression is that this - quite useful as I mean - setup maybe only works with L2TP, IPSec over L2TP (if _that_ exists), CIPE or (v)tun or tinc.
Ré -- Mark Cooke