On Fri, 23 Aug 2002 rking@generationtechnology.co.uk wrote:
Not related to security, eh? I thought that was what I was trying to achieve in implementing IPSec for VPN, no? Perhaps the mention of ipchains/iptables qualifies it for the forum?
Seriously, I have run the FreeSwan setup before, no problems. Only this time, I have been asked to impliment it where there is a adsl router with 16 public ips on it. The SuSE 8 server has been attributed one of these, with the adsl router being it's default gateway.
Now, there is a win2k exchange server, whose default route is NOT the SuSE 8 server, but some PIX that again has it's own default gateway, that is the adsl router. Overcomplicated, I know, but that is what I have been given.
Why don't you just make it symmetric by putting the SuSE8 server in front of the PIX?
Now the road warrior dials up and uses the vpn client to get in. The SuSE server passes the packets, through the tunnel into the exchange server. The exchange server sees the packets from their original, external ip.
Why that? Use some private subnet for the road warriors and put a route for that either into the Exchange server or the PIX.
So it sends the replies back along it's default gateway to send them externally. It's default gateway is the PIX, NOT the SuSE Server!
The network consultant that manages the PIX says that if I use RIP on the SuSE Server, and somehow broadcast its established routes, the PIX will redirect the packets that came into the exchange server, through the SuSE server, back to the SuSE Server.
I am no expert in dynamic routing, but this setup seems to attract all kinds of problems and difficulties, especially concerning reliability. Ciao, Roland +---------------------------+-------------------------+ | TU Muenchen | | | Physik-Department E18 | Raum 3558 | | James-Franck-Str. | Telefon 089/289-12592 | | 85747 Garching | | +---------------------------+-------------------------+ If you think NT is the answer, you have not understood the question.