I think Netscreen support is right. The second the NAT device changes one of the IP headers, you defeat the purpose of IPSec! Some of the small NAT routers support "VPN Pass-through", which allows only one VPN client on the private network to work through NAT.
The problem is vendors think VPN means "enterprise" and that means $$$$. I think Cisco does IPSEC/NAT by encapsulating IPSEC in UDP products. You'd have to use the Cisco client though. And you don't say 'Cisco' and 'save money' in the same sentence. Not sure of any other products that do this. If he wants to save money, Linux/BSD gateway is the best way to go. There are ways to get around the most commonly failing PC components. But even that might be a chore to setup since NAT and IPSEC just don't get along. ray On Wed, 26 Nov 2003, Dustin Puryear wrote: > > Maybe some of the IPSEC gurus here can help. > > > > This is actually not for me, but to make the reading easy I will just say > > "I" the entire time. Throw tomatoes later. > > > > I have an private network and an Internet connection. I want to offer > public > > wireless to anyone close enough to use the wireless. The wireless users > can > > access the Internet using my connection. I want a few of the wireless > users > > to be able to access my private network using a VPN. My configuration: > > > > wirelessnet <-----------> linksys AP <----> hub <--| > > | | > > internet <-----> linksys router <---| | > > | > > privatenetwork <---> netscreen router/vpn <--------- > > > > The VPN is IPSEC-based. I believe they are using IPSEC ESP. > > > > x The wirelessnet users can access the Internet. > > x The wirelessnet users can access privatenetwork using VPN. > > x The privatenetwork can access the Internet. > > x The Internet cannot access the privatenetwork using the VPN. > > > > Netcreen support told "me" that the issue is caused by IPSEC breaking when > > it crosses the Linksys router/NAT boundary. Sounds about right. > > > > Is there a way to solve this? > > > > I suggested just dropping the two routers and going with a single Linux or > > FreeBSD router/VPN with multiple interfaces for DMZ/wireless, Internet, > and > > private. My friend isn't too keen on this idea because PC-based solutions > > have a higher chance of having a hardware failure. (I agree.) Also, some > > people are just afraid of Linux or FreeBSD. > > > > He is trying to save money. (Obviously.) > > > > --- > > Dustin Puryear > > http://www.puryear-it.com > > > > > > > > > _______________________________________________ > General mailing list > [email protected] > http://brlug.net/mailman/listinfo/general_brlug.net > -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ray DeJean http://www.r-a-y.org Systems Engineer Southeastern Louisiana University IBM Certified Specialist AIX Administration, AIX Support =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
