Re: Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: Roksana Boreli <Roksana.Boreli@nicta.com.au>
Cc: netfilter@lists.netfilter.org
Subject: Re: Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel
Date: Tue, 24 Aug 2004 05:31:52 -0400	[thread overview]
Message-ID: <1093339912.2050.208.camel@localhost> (raw)
In-Reply-To: <09D3F703EF3B0A4CBE28449EA9F3D32069F456@nicta-atp-mail.in.nicta.com.au>

On Tue, 2004-08-24 at 01:11, Roksana Boreli wrote:
> Hi,
> 
> I am trying to set up multiple ipsec VPN clients working behind a Linux
> router with NAT/PAT, based on a 2.4.20 (can be 2.4.22) kernel. I would
> like to be able to connect a number of Windows (2k or XP) machines to an
> existing Cisco VPN server. 
> 
> client 1 (ipsec) --->  | router	|
> client 2 (ipsec) --->  |  NAT/	|
> .		        PAT	| -> ipsec VPN server (Cisco)
> .		     |		|
> client 10 (ipsec) --->|		|
> 
> A patch seems to be needed to make this work, and I have seen a lot of
> emails with a similar question in regards to pptp VPN clients, but
> nothing encouraging for ipsec.  I have also seen the IP masquerade HOWTO
> and the VPN HOWTO, which both refer to a patch for 2.2 kernels, but
> claim nothing is available for 2.4 kernels. I am a netfilter newbie (if
> this is not blindingly obvious), so any help would be much appreciated.
> 
> 
> Kind regards, Roksana
The answer depends on what exactly you are trying to do.  If you are
branching together two networks, you may wish to consider moving the
IPSec stack to the Linux gateway and creating a LAN-to-LAN connection. 
If you wish to restrict access to just those few clients, you can make
such restrictions in iptables.

On the other hand, if you are connecting to an external network, e.g.,
clients from a partner are working on your network and they need access
back to their home network (consider carefully if you really want to do
that - you may open your internal network to the external network
through these clients), then you will want to retain the IPSec stack on
the clients.

You have two options.  You can use a client which supports NAT-Traversal
(assuming that the Cisco VPN device is also configured to use
NAT-Traversal) or you can assign a one-to-one NAT mapping for the
clients to unique public addresses (very expensive if you have limited
public IP addresses) and use a standard IPSec stack.  We have
successfully implemented both arrangements.  Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net

next prev parent reply	other threads:[~2004-08-24  9:31 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-08-24  5:11 Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel Roksana Boreli
2004-08-24  5:46 ` Ming-Ching Tiew
2004-08-24  7:32   ` Payal Rathod
2004-08-24  7:50     ` Ming-Ching Tiew
2004-08-24  8:53       ` bridge + transparent proxy ArioS
2004-08-24  9:31 ` John A. Sullivan III [this message]
2004-08-26  9:13   ` Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel Thomas Kirk
2004-08-26 10:39     ` John A. Sullivan III
2004-08-26 14:14       ` Tom Eastep
  -- strict thread matches above, loose matches on Subject: below --
2004-08-24 11:56 Jason Opperisano
2004-08-25  7:24 Roksana Boreli
2004-08-25 11:29 ` John A. Sullivan III
2004-08-25 11:44 Jason Opperisano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1093339912.2050.208.camel@localhost \
    --to=john.sullivan@nexusmgmt.com \
    --cc=Roksana.Boreli@nicta.com.au \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.