/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
>Are there any known bugs or fixes that I'm not aware of?
What kind of IPSEC server are you trying to connect to?
Is it a Nortel Contivity box? If so, (as I understand it) there
is NO way to get a working Nortel IPSEC tunnel running behind
ANY form of a NAT system.
Intro:
Basically, there two kinds of IPSEC VPNS out there.
ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
(towards the bottom)
--
The IPsec AH protocol (51/ip) incorporates a cryptographic checksum including
the IP addresses in the IP header. Since masquerading changes those IP
addresses and since the cryptographic checksum cannot be recalculated by the
masquerading firewall, the masqueraded packets will fail the checksum test and
will be discarded by the remote IPsec gateway. Therefore, IPsec VPNs that use
the AH protocol cannot be successfully masqueraded. Sorry. (ESP with
authentication can be masqueraded.)
--
From my understanding, the Contivity box does NOT support ESP-only
mode. The feature request is ALREADY in and they have told customers
that the feature is coming but I don't know when. Check with your
admin and see what he/she says.
--David
.----------------------------------------------------------------------------.
| David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] |
!---- ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
