-----Original Message-----
From: Bob Dolliver [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 04, 2000 12:02 PM
To: 'Joel M Snyder'; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: VPN software behind ipchains-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1You simply have to open port 500 for on the Linux box. Joel is
correct as well with the NAT issues. By the way the Nortel client
supports Linux s/wan for branch to branch tunneling, so you could
tunnel from your Linux platform to the Contivity switch. You don't
need the client in that case.Regards
Robert E Dolliver
Senior Technical Instructor
Nortel Networks
- -----Original Message-----
From: Joel M Snyder [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 04, 2000 10:46 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: VPN software behind ipchains
>Does anyone know how to make the Nortel Extranet VPN software work
>from behind an ipchains Linux firewall? Is this doable or am I
>stuck? The software is based on IPSEC encryption.I don't know what ipchains is, but it's probably doing NAT or PAT.
It is inherent in the design of IPSEC that most post-IPSEC NAT (i.e.,
NAT-ing after the IPSEC operation) will break IPSEC. The one case
which
can work, possibly, is ESP in tunnel mode. However, almost all
cases of post-IPSEC NAT break IKE, which means that you can't
establish
keys, so it doesn't matter if ESP will work. (you could, of course,
do manual SPI/keys, but if so why bother with IPSEC---you might as
well use something a lot less secure like PPTP, which doesn't care
about
NAT). Changing IP address definitely breaks pre-shared secrets and
will probably break certs,
depending on how you are binding the certificate to the client and
how
secure (read: anal-retentive) your vendor is.Short answer: you're stuck (assuming that what ipchains does is NAT).
If
ipchains does PAT, you're definitely stuck; nothing will work,
period.jms
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
[EMAIL PROTECTED] http://www.opus1.com/jms Opus One- -
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>iQA/AwUBOMFO79nLJI1E8BiVEQL/UwCgqCYVyq/hK9Qe0LGzzEeTefDUxF8AoL6z
svKpBL5OQ3PON0hXyPzpv2eC
=Ou+W
-----END PGP SIGNATURE-----
Title: RE: VPN software behind ipchains
I
tried to setup ipchains with the firewall wide open, and allowed ALL traffic to
and from the network. BUT, I suspect that somehow IPSEC checksums are
being corrupted in the process of NAT, because even with the firewall wide open,
I could not get a connection. If I wanted the extranet connection full
time, I would look into setting up the firewall for branch tunnelling, but what
I really need is an on-demand solution.
Thanks
for your help!
pat
hayden
- VPN software behind ipchains Pat Hayden
- RE: VPN software behind ipchains Joel M Snyder
- RE: VPN software behind ipchains Ron DuFresne
- RE: VPN software behind ipchains Bob Dolliver
- RE: VPN software behind ipchains Aaron C. Springer
- RE: VPN software behind ipchains Ron DuFresne
- Re: VPN software behind ipchains Pat Hayden
- Re: VPN software behind ipchains Bernd Eckenfels
- RE: VPN software behind ipchains kerby
- RE: VPN software behind ipchains esteban
- Re: VPN software behind ipchains Joel M Snyder
- Re: VPN software behind ipchains Jason Axley
