Re: Establishing a site-to-site ipsec connection
From: John SMith (Jsmith_at_hotlink.com)
Date: 04/30/03
- Next message: Nico Kadel-Garcia: "Re: Hacked - again"
- Previous message: CoinCoveredEyes: "SELinux policy problems, help please..."
- In reply to: Nico Kadel-Garcia: "Re: Establishing a site-to-site ipsec connection"
- Next in thread: Nico Kadel-Garcia: "Re: Establishing a site-to-site ipsec connection"
- Reply: Nico Kadel-Garcia: "Re: Establishing a site-to-site ipsec connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Apr 2003 00:55:45 GMT
Natting is OK if it is done on the same box as the Tunnell server not
after it.
Our Natting implementation is rather simple due to our needs. We have to
simply provision conectivity to third parties in more or less for
individual services not whole network connections. So we nat those
services onto the public addresses in our DMZ which are iptabled and
IPseced to our third parties and vice versa if required. We use IKE for
key management. Because it is more widely supported and easily maintained.
Regarding the secrets? Yes they are in clear text. We watch very
closely! Tripwired and custom IPTABLE watch daemons to detect changes
in filters and of course IDS sensors everywhere - even on the IPSEC
tunnells.
Works better than any MS or Novell solution I've used before.
Nico Kadel-Garcia wrote:
> John Maher wrote:
>
>> That's great to hear that you have such a varied and large
>> implementation.
>>
>> "John SMith" <Jsmith@hotlink.com> wrote in message
>> news:3EA92FDF.1060301@hotlink.com...
>>
>> ....
>>
>>
>>> When used in conjunction with
>>> IPTABLES it is remarkably flexible and secure - we connect to so many
>>> third parties that IPTABles NATing is a life saver for obuscating
>>> networks and resolving IP address conflicts.
>>
>>
>>
>> Since you bring it up, I'm a bit confused about the NATing issue.
>> Most of
>> what I read says using NAT breaks ipsec connections, particularly if
>> using
>> AH. But even the FreeSWAN documentation appears to have conflicting
>> guidance on this by saying (in one part of the documentation) don't
>> NAT or
>> it will break, and (in another part of the documentation) that you
>> need to
>> do certain things if you NAT.
>>
>> And now you mention that "NATing is a life saver". I'm a bit confused
>> and
>> any clarification would be great.
>
>
> Me too. A guide to FreeSwan that acknowledged the existence of NAT'ing
> would be wonderful. A guide that also helped set it up *WITHOUT KEEPING
> THE PASSWORDS IN THE CLEAR IN LOCAL TEXTFILES* would be even better....
>
- Next message: Nico Kadel-Garcia: "Re: Hacked - again"
- Previous message: CoinCoveredEyes: "SELinux policy problems, help please..."
- In reply to: Nico Kadel-Garcia: "Re: Establishing a site-to-site ipsec connection"
- Next in thread: Nico Kadel-Garcia: "Re: Establishing a site-to-site ipsec connection"
- Reply: Nico Kadel-Garcia: "Re: Establishing a site-to-site ipsec connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
