Pat-
I don't know if you got an good answer on the whether the Extranet client
Works behind IPCHAINS. I have it working. I can connect to a remote VPN
server from a NT systems sitting behind a Linux box doing masquerading
with ipchains. On the linux box I needed to patch the kernel.
Here are the websites that I found helpful. There might be some other
links
that I can dig up.
http://www.wolfenet.com/~jhardin/ip_masq_vpn.html
and
http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html
-esteban
On Sun, 5 Mar 2000, Pat Hayden wrote:
> RE: VPN software behind ipchainsI tried to setup ipchains with the firewall
> wide open, and allowed ALL traffic to and from the network. BUT, I suspect
> that somehow IPSEC checksums are being corrupted in the process of NAT,
> because even with the firewall wide open, I could not get a connection. If
> I wanted the extranet connection full time, I would look into setting up the
> firewall for branch tunnelling, but what I really need is an on-demand
> solution.
>
> Thanks for your help!
>
> pat hayden
> -----Original Message-----
> From: Bob Dolliver [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, March 04, 2000 12:02 PM
> To: 'Joel M Snyder'; [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: VPN software behind ipchains
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You simply have to open port 500 for on the Linux box. Joel is
> correct as well with the NAT issues. By the way the Nortel client
> supports Linux s/wan for branch to branch tunneling, so you could
> tunnel from your Linux platform to the Contivity switch. You don't
> need the client in that case.
>
> Regards
> Robert E Dolliver
> Senior Technical Instructor
> Nortel Networks
>
>
>
> - -----Original Message-----
> From: Joel M Snyder [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, March 04, 2000 10:46 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: VPN software behind ipchains
>
>
>
> >Does anyone know how to make the Nortel Extranet VPN software work
> >from behind an ipchains Linux firewall? Is this doable or am I
> >stuck? The software is based on IPSEC encryption.
>
> I don't know what ipchains is, but it's probably doing NAT or PAT.
>
> It is inherent in the design of IPSEC that most post-IPSEC NAT (i.e.,
> NAT-ing after the IPSEC operation) will break IPSEC. The one case
> which
> can work, possibly, is ESP in tunnel mode. However, almost all
> cases of post-IPSEC NAT break IKE, which means that you can't
> establish
> keys, so it doesn't matter if ESP will work. (you could, of course,
> do manual SPI/keys, but if so why bother with IPSEC---you might as
> well use something a lot less secure like PPTP, which doesn't care
> about
> NAT). Changing IP address definitely breaks pre-shared secrets and
> will probably break certs,
> depending on how you are binding the certificate to the client and
> how
> secure (read: anal-retentive) your vendor is.
>
> Short answer: you're stuck (assuming that what ipchains does is NAT).
> If
> ipchains does PAT, you're definitely stuck; nothing will work,
> period.
>
> jms
>
>
>
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
> [EMAIL PROTECTED] http://www.opus1.com/jms Opus One
>
> - -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBOMFO79nLJI1E8BiVEQL/UwCgqCYVyq/hK9Qe0LGzzEeTefDUxF8AoL6z
> svKpBL5OQ3PON0hXyPzpv2eC
> =Ou+W
> -----END PGP SIGNATURE-----
>
>
-Esteban Gutierrez e-mail: [EMAIL PROTECTED]
Web: http://www.cerfnet.com/~esteban
"Windows leads to anger, anger leads to hate, hate leads to LINUX."
-slashdot posting
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
