Re: linux-ipsec: Any work done on an IPSec masq module?

>> Does anyone care to comment on the usefullness of masq support for IPSec in

I am a somewhat casual observer of the linux-ipsec list. This seems to be a question about the usefulness of something I want to do and I think will be a fairly common use for IPSec, but please excuse me if I am completely confused. (I tried to refresh my memory by looking for a page I once saw describing the difference between tunnel mode and transport mode, but can no longer find it.) If someone can explain all this in terms a novice can understand then I would very much appreciate it. In any event, let me explain the potential application which I hope is, or will be, possible with IPSec and Masq.

I have a home network connected to the Internet by IPMasq and would like to connect from one home machine to a firewall supporting IPSec which interfaces a secure network to the Internet. ASCI art:

{home net} <--> [IPMasq] <--> internet<--> [firewall] <-->{secure net}

[1st  home machine]<===================> [firewall]

• encrypted traffic ---- normal traffic

I don't want to prevent other home machines from continuing to connect to the Internet, but I especially would not want any of the home machines to compromise the security of the secure net. This might be a problem if, for example, the tunnel was established between the IPMasq machine and the firewall and one of the other home machines could dial-out to the Internet separately from the IPMasq connection. (And in any event, it seems this IPMasq==firewall tunnel would also have to prevent other home machines from normal connections to the Internet or else security may be compromised.)

If necessary, another possible setup would be:

{home net2} <--> [IPMasq2] <-->{home net1} <--> [IPMasq1] <--

                                                       -->internet<-->
[firewall] <-->{secure net}
                                [IPMasq2] <==============> [firewall]

and I guess the IPMasq2 machine would not necessarily need to do masquerading but could be a more traditional firewall.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Any enlightenment on how this can or will work would be very much appreciated. (Of course I don't have a clue what would have to be done to the ipmasq module to accomplish this.)

Paul Gilbert Received on Fri Aug 14 12:03:57 1998