Contivity VPN woes
bscott at ntisys.com
bscott at ntisys.com
Mon Nov 18 18:13:08 EST 2002
On Mon, 18 Nov 2002, at 4:45pm, tcharron at ductape.net wrote:
> Also to note that there are ip_masq modules specifically for pptp AND
> ipsec that, if I recall correctly, take care of the majority of these for
> you. Personally, I load the pptp module, and require not further
> configuration. IPSec, etc, on the other hand, may require a bit more..
It depends. If all you need is a single node behind the NAT doing IPsec,
loading the modules is sufficient. (If you have them. I note, for example,
on my RHL 7.3 / kernel 2.4.18 system, that no pre-compiled modules
mentioning IPsec or PPTP exist.)
If you want multiple IPsec modes behind one-to-many NAT, things get
tricky, as IPsec contains no state information that the NAT can track. A
technique (called "NAT transversal", or just "NAT-T") has been developed to
work around this; however, AFAIK, it requires support at both ends, which
may be difficult if you're dealing with an {uncooperative,clueless}
corporate IT department or proprietary VPN vendor.
--
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do not |
| necessarily represent the views or policy of any other person, entity or |
| organization. All information is provided without warranty of any kind. |
More information about the gnhlug-discuss
mailing list