Re: linux-ipsec: IPSec Masquerade

>>>>> "John" == John D Hardin  writes:

>> {home net} <--> [IPMasq] <--> internet<--> [firewall] <-->{secure net}
>> [1st home machine]<===================> [firewall]
>> [2nd home machine]<-------> internet
>>
>> ===== encrypted traffic
>> ---- normal traffic

    John> This is what I hope to develop. Would you be willing to act as a test     John> site?

  I really think that you would be much smarter to work on:

        A
  ---+--+-----SG1--------SG2----secure

     B

  A<====================>SG2----secure
              SG1<++++++>SG2----secure

• ESP tunnel/transport ++ AH tunnel (or ESP if paranoid)

  (The == tunnel gets carried inside the ++ tunnel, not masquerading is done)

  If you do this, and let the "secure" network be aware of your private network then you get a far better system, and you solve real problems rather than working around your lack of IP address space.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

  If you still want to solve the Masquerading problem, then I sincerely hope that you will implement Host-NAT or DNAT instead. One option for them is that the A<oooooo>SG1 connection may also be IPsec protected.

   :!mcr!: | Solidum Systems Corporation, http://www.solidum.com    Michael Richardson |For a better connected world,where data flows faster<tm>  Personal: mcr@sandelman.ottawa.on.ca. PGP key available.  Corporate: <A HREF="mailto:mcr@solidum.com">mcr@solidum.com</A>. Received on Fri Jan 15 12:00:52 1999