Dear René Everything (ftp, ldap, ssh, dns, etc) all works fine with my setup. The individual machines on the LAN's don't use IPSec/tunnels. There's a single VPN tunnel essentially bridging the 'big bad internet' using a CIPE tunnel. I run an 'internal DNS', and 'internal samba' as a domain browser, and it all 'just works'. As far as the two LANs are concerned, there isn't any NAT at all, and machines on the other lan are directly reachable with a unique address. It avoids breakage of things like (non passive) FTP. Finally - there's a windows 2K/XP/NT4 version of CIPE, that I use on my laptop when I'm off-site (or on wireless as WEP isn't worth using). Mark On Tue, 2003-08-12 at 15:23, René Matthäi wrote:
Hi,
Mark Cooke schrieb:
I don't believe IPSEC traverses NAT correctly, so unless your firewall was also the VPN tunneller, I don't think it works nicely. There's been some work on STUN, but I don't believe it co-exists nicely with 'double NAT' yet.
Personally, I've been using CIPE.
The problem is that Windows comes only with a IPSec or L2TP client (for free and integrated). Unfortunately there is no Windows CE client or even Windows XP (<- is _this_ still true?). And for Mobile Computing there are only IPSec Clients (or PPTP/L2TP) I fear.
All the machines on LAN-A have a route added:
10.2.0.0/255.255.255.0 via VPN-A Default route via FW-A
That's okay - but I don't understand right at this moment why this is neccessary. Can't the FW route the traffic to 10.2.0.0/255.255.0.0 (resp. the other addresses on LAN-B)?
You are correct - you can get your firewall to redirect traffic to the VPN. That doubles the traffic to the inside of the firewall though. Ie, LAN -> FW -> VPN -> FW instead of LAN -> VPN -> FW
Traffic doubling might not be a problem, and you may decide the extra traffic isn't a problem in your scenario and you'd rather have the simpler setup. (Especially as the LAN portion of your net is probably at least twice the speed of the link to your ISP. Don't know about the loading on your firewall though)
You can avoid the traffic problem by adding another physical network link between the VPN GW and the FW. But as for the load, you're right. It's a Pentium I 200 MHz machine and we have 512 kBit/s connection. So I guess this is not on the edge.
Does everything work in your setup, e. g. LDAP or FTP then?
Ré -- Mark Cooke