Re: Establishing a site-to-site ipsec connection

From: Nico Kadel-Garcia (nkadel_at_verizon.net)
Date: 04/26/03

Next message: Wojtek Walczak: "Re: cannot replace binaries after being rootkitted"
Previous message: Nico Kadel-Garcia: "Re: TCPA FOR LINUX"
In reply to: John Maher: "Re: Establishing a site-to-site ipsec connection"
Next in thread: John SMith: "Re: Establishing a site-to-site ipsec connection"
Reply: John SMith: "Re: Establishing a site-to-site ipsec connection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 26 Apr 2003 18:38:47 GMT

John Maher wrote:
> That's great to hear that you have such a varied and large implementation.
>
> "John SMith" <Jsmith@hotlink.com> wrote in message
> news:3EA92FDF.1060301@hotlink.com...
>
> ....
>
>
>>When used in conjunction with
>>IPTABLES it is remarkably flexible and secure - we connect to so many
>>third parties that IPTABles NATing is a life saver for obuscating
>>networks and resolving IP address conflicts.
>
>
> Since you bring it up, I'm a bit confused about the NATing issue. Most of
> what I read says using NAT breaks ipsec connections, particularly if using
> AH. But even the FreeSWAN documentation appears to have conflicting
> guidance on this by saying (in one part of the documentation) don't NAT or
> it will break, and (in another part of the documentation) that you need to
> do certain things if you NAT.
>
> And now you mention that "NATing is a life saver". I'm a bit confused and
> any clarification would be great.

Me too. A guide to FreeSwan that acknowledged the existence of NAT'ing
would be wonderful. A guide that also helped set it up *WITHOUT KEEPING
THE PASSWORDS IN THE CLEAR IN LOCAL TEXTFILES* would be even better....

Next message: Wojtek Walczak: "Re: cannot replace binaries after being rootkitted"
Previous message: Nico Kadel-Garcia: "Re: TCPA FOR LINUX"
In reply to: John Maher: "Re: Establishing a site-to-site ipsec connection"
Next in thread: John SMith: "Re: Establishing a site-to-site ipsec connection"
Reply: John SMith: "Re: Establishing a site-to-site ipsec connection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Establishing a site-to-site ipsec connection
... Natting is OK if it is done on the same box as the Tunnell server not ... Our Natting implementation is rather simple due to our needs. ... So we nat those ... But even the FreeSWAN documentation appears to have conflicting ...
(comp.os.linux.security)
Re: NAT problem
... to any documentation regarding this? ... It's mentioned in the Usage Guidelines for the ip nat inside... ...
(comp.dcom.sys.cisco)
Re: DFL-800 Port Mapping
... Anders Eriksson wrote: ... figure out how to do Port Mappings on it. ... Chapter 7 of the documentation describes NAT and SAT. ...
(comp.security.firewalls)
Re: Question
... >>there is also a lot of documentation to find on google: ... Note that NAT behavior ... This should probably go into the FAQ at ...
(comp.security.firewalls)