On Tue, 2002-12-10 at 17:08, Dustin Puryear wrote: > I have a client that uses Shiva VPN (IPSEC-based) across our FreeBSD > firewall. Now, it would seem that most current IPSEC implementations expect > to see a unique client IP address for each tunnel. Because the FreeBSD > firewall is NAT'ing the internal network (well, PAT, but who uses that term > anymore?)
Actually it is in all the Cisco PIX manuals... >for Internet access using one IP address Shiva fails if more than > one user tries to use create a VPN connection. > > The obvious solution is then to assign one unique public IP address to each > Shiva user. This will work. However, I'd like some suggestions on other > ways to solve this. Has anyone worked with Shiva VPN? What about using > IPSEC to multiple clients across a NAT'ing router? Keep in mind that we do > not have access to the VPN itself. I can only act as a router here and not > an end-point. (Actually, I wouldn't be opposed to solutions assuming I can > act as an end-point, just for completeness.) VPN (specifically IPSEC) and NAT definitely do not play nice together. The only way I can see to solve the problem would be to do something similar to what I have done for one of the groups here. It is basically what you said above - I have a VPN that gives an internal network an encrypted tunnel to another network. I am specifically using OpenBSD for the IPSEC client. I can give you some of the details of the setup offline if you would like. Shannon > > > --- > Dustin Puryear <[EMAIL PROTECTED]> > Puryear Information Technology > Windows, UNIX, and IT Consulting > http://www.puryear-it.com > > > > _______________________________________________ > General mailing list > [email protected] > http://oxygen.nocdirect.com/mailman/listinfo/general_brlug.net
