> I had a weird idea ihave no way to test right now. > What if I had the Eiger masquerade both directions. > The packet is unencapsulated. > It goes thru the forward chain. > Its source address is masqed to the internal address. > The Exchange server responds to that address > The NAT table converts the destination address of the > response to the source address of the request. > IPSec sees it and says that's mine.
That should work, although you're a bit outside the existing firewall script functionality. Sounds like you really want a VPN gateway mroe than a firewall, though, so maybe that's OK. If you setup the above, you *WILL* have problems with M$ networking (which doesn't like being masqueraded) over the VPN, so whether masquerading the remote VPN system to your local net will work for you depends on exactly which protocols you need to run. I'm not sure about exchange (I stay as far away from it as possible), but it may suffer the same problems that prevent M$ networking from working properly when masqueraded if you're using the 'advanced' features and not just running in SMTP/POP/IMAP mode... <rant> Good old Microsoft...where "enterprise networking" is a single collision domain, all protocols use dynamically allocated ports, and IP information is embedded in datagrams, to break that pesky masqerading...remember, at Micro$oft, security is more than just an afterthought, it's a Marketing Slogan!!! I'm personally glad to live in one of the states that parted ways with Justice on the M$ anti-trust case. </rant> Sorry about that...I think something in me just snaps whenever anyone mentions "Exchange server" <sigh> At least you're looking for an alternate solution for your VPN... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
