NAT works fine with IPSEC as long as you do your NAT first and then tunnel or
do your NAT after the tunnel terminates.
If you are using the Nortel client you won't be able to any NAT. You will have
to pass the tunnel through your FW.
acs
On 28-Feb-00 RISTO, JONATHAN wrote:
> Charles,
>
> This information has been helpful in setting up a similar situation that I
> have,
> but I have the following question in regards to IPCHAINS and a VPN
> connection.
>
> At work we connect into a Nortel Networks Contivity box for our VPN. Given
> that
> IPSEC generally doesn't like to get NAT'd around, is there a configuration
> which
> will allow a VPN to pass through a linux box running IPCHAINS?
>
> Thanks,
> Jonathan
>
> Tetlow Charles MSgt 12CS/SCBBN wrote:
>
>> Frank,
>>
>> Hook your eth0 to your service provider and put one of your "real IPs" on it
>> so it can talk to the world. Hook your workstations behind the eth1 using
>> the private network address space like you mentioned - 192.168.x.x. Be sure
>> that the workstations are addressed in the same network space as the eth1
>> and that their gateway is the eth1 address. (Typically the eth1 on the
>> Linux box would be 192.168.0.1 and the workstation's gateway would be the
>> same.)
>>
>> Next, setup the Linux box to do Network Address Translation with the IP
>> Chains configuration:
>> ipchains -A forward -s 192.168.0.0/16 -d 0/0 -j MASQ
>> That single line will turn on NAT for everything behind the eth1 with
>> addresses in your private network address space.
>>
>> The only other thing you HAVE to do is insure forwarding is turned on.
>> Check the file /proc/sys/net/ipv4/ip_forward. It should contain the single
>> character "1". That sets IP Forwarding to on. Change it to one if it is
>> set to zero. And you should be off and running.
>>
>> Now, you don't have ANY protections setup at this point. You have only got
>> the box working as a packet forwarding gateway with full Network Address
>> Translation. If you want to provide "firewall" protections with that box
>> also, you have to start implementing IP Chains rules to protect yourself.
>> And of course, be sure that all non-essential services are turned off on
>> that box.
>>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
_______________________
Aaron C. Springer
[EMAIL PROTECTED]
pgp key published
_______________________
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
