On Wed, 9 Jan 2002 [EMAIL PROTECTED] wrote:
> Hi all,
>
> I am not sure really how to describe what I am after, but I'll try to sketch
> it.
>
> In a situation in which a network needs to have broad compatibility with multi-
> vendor VPN solutions (from clients sites to home office, and vice versa), it
> appears that fully routable, legal IP addresses will be required. One client
> in particular declares that NAT will not work with its "aggressive mode"
> system, and cannot be made to.
>
> The systems on the local subnet need to be able to communicate as a full
> workgroup, sharing files and printers. The VPN connections need to be intiated
> from both external locations coming in, and from internal hosts going out. As
> I understand it, systems in a DMZ in Eiger/Dachstein cannot be made to
> communicate with each other without routing tweaks --- so I'm assuming this
> won't do the trick.
>
> Here are my questions:
>
> 1. Is it still true that some systems absolutely cannot be made to work with
> NAT?
No, but they can make it difficult enough that no-one will want to
reverse-engineer their protocol well enough to make it work.
Simple protocols just need to be port-forwarded.
More difficult ones need helper modules to watch the outgoing protocol and
build on-the-fly port forwarding rules for the return connections. If
there are no programmers around with the appropriate incentive, such
modules won't be written.
Checkpoint's FWZ won't work because it is proprietary, encrypted, and if
anyone could reverse engineer the protcol, it wouldn't be worth much,
would it? The frustrating thing is that Checkpoint ALSO supports IPSec,
but your other endpoints may refuse to use it.
> 2. Anyone care to comment on the security and adminstration issues with
> managing a network of routable addresses from behind a LEAF box?
The firewall rules have to be constructed differently than usual in the
absence of masquerading. I think Dachstein has a "ROUTER" option, but I
don't know how well the firewall works in that mode.
> 3. Are there any architectural "tricks" that can be used to create VPN
> gateways that allow full access into a private network from only one trusted
> host outside --- and is this a good idea?
I am not sure what you mean by this. You could mean you are interested in
VPN options or in firewall options... but I think it is implicit in VPN
technology that the other end be identifiable, and access be controllable.
> 4. Are there example configs around where a LEAF distro has been setup to do
> such things?
Don't know.
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
