On Tue, Jan 20, 2004 at 01:23:18PM -0600, John Goerzen wrote: > On Tue, Jan 20, 2004 at 10:46:52AM -0800, Marc Singer wrote: > > What I'm not finding is how to get this working where there are hosts > > behind NAT'ing routers. In this case, a wireless AP that provides > > limited configurability and no ipv6 support. Using the already > > If you can configure it to let protocol 41 (ipv6) through, you may be > able to make things work. (I have been able to do that going through a > Shorewall IPV4-only NAT box.) > > However, you may not be able to do that on your AP. You may need a more > powerful router.
The router has a VPN passthrough feature which, I believe, is a hack in the AP that recognizes an ipsec setup sequence and will pass the ipsec packets through the AP. > > > What I've deduced is that there is a need for another kind of tunnel, > > either ipip or ipsec. Am I on the right track? > > Well, that depends on what you're trying to do. If you're trying to > join the global IPv6 network, that won't help. However, AFAIK, you'll > run into the same issues with IPSec. That's an interesting wrinkle. I was figuring that I could setup routes on the ipv6 connected host that will make this work. Let's say that I am using 192.0.2.1/28 as my public address and 192.0.2.250/24 as the unroutable wireless network. The router is called Robin, the wireless note is called Wendy. Robin is given 192.0.2.1, 192.0.2.251 and 2002:c000:201:1::1. Wendy is given 192.0.2.252 and 2002:c000:201:2::1. With some hand waving, I bridge Robin and Wendy through the AP using IPSEC such that each can ping the other's 192.0.2.250/28 address. A static route is added to each of them such that the 2002:c000:201:1::1 and 2002:c000:201:2::1 networks are ping6'able. Finally, the default -6 route for Wendy is set to Robin. I'd have more results, but I'm working to get the ipsec tunnel running. Am I missing something? > > -- John
