Thanks,
I was pretty sure that I was on the right track.
Just for clarification:
"..., and run an IPSec 'helper' module (with 2.2 kenels...I'm not sure if the 2.4 kernels work the same way) or use nat-traversal (which 'tunnels' the protocol 50 traffic across UDP)."
This refers to the internal machine running the ipsec server.
There is nothing that has to be added to the Bering firewall box. Right?
(Basically, all the firewall sees is the UDP packet, which it just port-forwards like anything else. The NAT-traversal "patch" is applied to machines at both ends of the ipsec tunnel, not the firewall/NAT-PAT machine.)
If you're running with the NAT-traversal patch, you are correct: nothing else is needed on the Bering firewall, as all IPSec traffic is simple UDP packets, which pass through most any masquerading firewall (from dumb $30 'black-boxes' to Bering).
If you can't run NAT-traversal (or for some reason don't want to), you need the linux 2.4 kernel equivelent of the ip_masq_ipsec.o module for the 2.2 kernels, which handles forwarding/masquerading of the protocol 50 IPSec traffic. I run ipsec on my firewalls (and don't do as much Bering support as Dachstein :), so I'm not sure if ipsec masquerading is possible with 2.4 kernels or what the 'helper' modules/programs would be.
-- Charles Steinkuehler [EMAIL PROTECTED]
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
