Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
RE: [suse-security] VPN masquerading
  • From: "Andreas Marbet" <andreas.marbet@xxxxxxxxxxx>
  • Date: Tue, 10 Sep 2002 18:52:51 +0200
  • Message-id: <F51F0C7FF9F5824B8CEE3C76A5A78FC61627D0@xxxxxxxxxxxxxxxxxxxxxxx>
> From: Alexander Gretha [mailto:alexander.gretha@xxxxxxxxxxx]
>
> thanks for your help, but as far as i see these settings are
> for a vpn endpoint *at* the firewall (firewall == vpn server,
> otherwise i wouldn't have an ipsec0 interface (or am i
> missing something)). what i try to achieve is forward the vpn
> to a masqueraded server (i.e. a server with a private ip
> address). the variant vpn server == firewall would work, but
> sadly is not an option for our configuration.

if only one vpn-endpoint is in a NATted Network, then its easy, as long
as the implementation of the NAT allows correct mangling of ESP. But the
vpn has to be initiated by the NATted host.

If both endpoints or at least the 'receiving' one is NATted it's a bit
more complicated. FreeS/WAN by itself doesn't allow this but there is a
patch at http://open-source.arkoon.net that allows NAT-Traversal. At
http://www.freeswan.ca you can even get pre-patched versions of
FreeS/WAN. I never tried this patch so I can't tell you if and how it
works.

hope this helps a bit further

Andreas

< Previous Next >