>Does anyone know how to make the Nortel Extranet VPN software work from
>behind an ipchains Linux firewall? Is this doable or am I stuck? The
>software is based on IPSEC encryption.
I don't know what ipchains is, but it's probably doing NAT or PAT.
It is inherent in the design of IPSEC that most post-IPSEC NAT (i.e.,
NAT-ing after the IPSEC operation) will break IPSEC. The one case which
can work, possibly, is ESP in tunnel mode. However, almost all
cases of post-IPSEC NAT break IKE, which means that you can't establish
keys, so it doesn't matter if ESP will work. (you could, of course,
do manual SPI/keys, but if so why bother with IPSEC---you might as
well use something a lot less secure like PPTP, which doesn't care about
NAT). Changing IP address definitely breaks pre-shared secrets and will probably
break certs,
depending on how you are binding the certificate to the client and how
secure (read: anal-retentive) your vendor is.
Short answer: you're stuck (assuming that what ipchains does is NAT). If
ipchains does PAT, you're definitely stuck; nothing will work, period.
jms
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
[EMAIL PROTECTED] http://www.opus1.com/jms Opus One
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
