stuck perhaps with the VPN software he asks about, but, there are
solutions available for the older kernels <ipfwadm 2.0.x>, and recently,
crusing about I've vseen there are new patches for the newer kernels
<ipchains 2.2.x>. I'd send pointer url's, but, I think most the major
linux sites, including freshmeat.com, have links, and, *still* have yet to
get the machines up here at the new place in NC.
Thanks,
Ron DuFresne
On Sat, 4 Mar 2000, Joel M Snyder wrote:
> >Does anyone know how to make the Nortel Extranet VPN software work from
> >behind an ipchains Linux firewall? Is this doable or am I stuck? The
> >software is based on IPSEC encryption.
>
> I don't know what ipchains is, but it's probably doing NAT or PAT.
>
> It is inherent in the design of IPSEC that most post-IPSEC NAT (i.e.,
> NAT-ing after the IPSEC operation) will break IPSEC. The one case which
> can work, possibly, is ESP in tunnel mode. However, almost all
> cases of post-IPSEC NAT break IKE, which means that you can't establish
> keys, so it doesn't matter if ESP will work. (you could, of course,
> do manual SPI/keys, but if so why bother with IPSEC---you might as
> well use something a lot less secure like PPTP, which doesn't care about
> NAT). Changing IP address definitely breaks pre-shared secrets and will probably
>break certs,
> depending on how you are binding the certificate to the client and how
> secure (read: anal-retentive) your vendor is.
>
> Short answer: you're stuck (assuming that what ipchains does is NAT). If
> ipchains does PAT, you're definitely stuck; nothing will work, period.
>
> jms
>
>
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
> [EMAIL PROTECTED] http://www.opus1.com/jms Opus One
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
