Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] VPN masquerading
  • From: "Alexander Gretha" <alexander.gretha@xxxxxxxxxxx>
  • Date: Wed, 11 Sep 2002 09:36:33 +0200
  • Message-id: <002501c25965$f3f40620$7000a8c0@xxxxxxxxxx>
>if only one vpn-endpoint is in a NATted Network, then its easy, as long
>as the implementation of the NAT allows correct mangling of ESP. But the
>vpn has to be initiated by the NATted host.

outgoing vpn (pptp and ipsec) worked right out of the box (vpn initiator is
NATed), but incoming doesn't work because of the ESP and GRE protocols.
funny thing is, technically it is definitely possible, because the outgoing
vpn (to my vpn test server, which is also a win2k server) goes to a NATed
server, which sits behind a netgear router/firewall/switch combo thingy
(normal cable modem at my home), i.e. both vpn enpoints are NATed.

>I choosed:
>kernel 2.4.18 from
>freeswan 1.97 from

my incoming vpn server is a win2k vpn server (if i could use FreeS/WAN, i
would install it directly on the firewall), which sports PPTP and IPSEC as
well as a radius server for logging purposes. in between i have the said
suse 8.0 firewall which refuses to forward *incoming* GRE (or ESP) to my
masqueraded vpn server. i fiddled around with the fw rules but to no avail,
tcpdump shows the GRE packets on the external interface, nothing on the

thanks very much for your numerous answers,

< Previous Next >