Re: linux-ipsec: Any work done on an IPSec masq module?

-----BEGIN PGP SIGNED MESSAGE-----
> >> Does anyone care to comment on the usefullness of masq support for IPSec in

Transport mode inserts an encryption or authentication or both headers between the upper layer protocol header (TCP/UDP/ICMP/IGMP) and the IP header and the authentication protects certain fields in the IP header from modification, such as src and dst address and a few other things.

Transport mode can only be used end-to-end.

Tunnel mode encapsulates the entire IP header in an authentication or encryption header or both and then adds an external IP header to carry it from one security gateway to the other end, where the outer IP header is stripped away along with the authentication and encryption and then passed on to the destination.

Tunnel mode can be used end-to-end, end-to-gateway, or gateway-to-gateway with the other end protected by the gateway.

> I have a home network connected to the Internet by IPMasq and would like to

I would suggest that the home machine that wants access to the secure net cannot share a subnet with the other machines. IP Spoofing and sniffing is too easy here, unless you use the home_machine_1 with IPSEC directly and not on the firewall.

> If necessary, another possible setup would be:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

This would be more secure, but if you collapse home_net_2 and IPMasq2(IPFW2) together you get the same as I suggested above.

> Any enlightenment on how this can or will work would be very much appreciated.

I don't think you need to do anything to the ipmasq module, just apply masquerading consistently with your IP's.

I hope this helps.

> Paul Gilbert

Wait! It just hit me...you know Russell McOrmond Ya? He's a block away.

        slainte mhath, RGB
- --

Richard Guy Briggs -- PGP key available                       Auto-Free Ottawa!
rgb at conscoop dot ottawa dot on dot ca              
http://www.flora.org/afo/http://www.conscoop.ottawa.on.ca/rgb/           Ottawa-Rideau Bioregion, Canada

"We left our footprints in the Earth
And punched a hole right through the sky" -- S.Hogarth/J.Helmer(Marillion)

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNdTCMt+sBuIhFagtAQGAWAQApGB3GLx5s1LYdUbLB7jqChTQNjQaTlaR 6WPz/SHnN3EMD6gCsOfoJlo32nIHZcO8NHpK0SIucSS/KQVJY4pMQ7fmxuzI8k3S d+ycVFDeKdfKfs35ou86O63hDr+6LGSKTb/FqebcOHQThAIZZFC5r11rSov4ob4V vRfO+S0dXuA=
=BXFT
-----END PGP SIGNATURE----- Received on Fri Aug 14 19:46:20 1998