Re: Establishing a site-to-site ipsec connection

From: John Maher (jmaher_at_channing-bete-nospam.com)
Date: 04/30/03

• Next message: John SMith: "Re: Establishing a site-to-site ipsec connection"
• Next in thread: John SMith: "Re: Establishing a site-to-site ipsec connection"
• Maybe reply: John SMith: "Re: Establishing a site-to-site ipsec connection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 30 Apr 2003 11:42:32 -0400

John, thank you to you and the others for helping me understand.

John

"John SMith" <Jsmith@hotlink.com> wrote in message
news:3EAF1F17.2030308@hotlink.com...
> Natting is OK if it is done on the same box as the Tunnell server not
> after it.
>
> Our Natting implementation is rather simple due to our needs. We have to
> simply provision conectivity to third parties in more or less for
> individual services not whole network connections. So we nat those
> services onto the public addresses in our DMZ which are iptabled and
> IPseced to our third parties and vice versa if required. We use IKE for
> key management. Because it is more widely supported and easily maintained.
>
> Regarding the secrets? Yes they are in clear text. We watch very
> closely! Tripwired and custom IPTABLE watch daemons to detect changes
> in filters and of course IDS sensors everywhere - even on the IPSEC
> tunnells.
>
> Works better than any MS or Novell solution I've used before.
>
> Nico Kadel-Garcia wrote:
> > John Maher wrote:
> >
> >> That's great to hear that you have such a varied and large
> >> implementation.
> >>
> >> "John SMith" <Jsmith@hotlink.com> wrote in message
> >> news:3EA92FDF.1060301@hotlink.com...
> >>
> >> ....
> >>
> >>
> >>> When used in conjunction with
> >>> IPTABLES it is remarkably flexible and secure - we connect to so many
> >>> third parties that IPTABles NATing is a life saver for obuscating
> >>> networks and resolving IP address conflicts.
> >>
> >>
> >>
> >> Since you bring it up, I'm a bit confused about the NATing issue.
> >> Most of
> >> what I read says using NAT breaks ipsec connections, particularly if
> >> using
> >> AH. But even the FreeSWAN documentation appears to have conflicting
> >> guidance on this by saying (in one part of the documentation) don't
> >> NAT or
> >> it will break, and (in another part of the documentation) that you
> >> need to
> >> do certain things if you NAT.
> >>
> >> And now you mention that "NATing is a life saver". I'm a bit confused
> >> and
> >> any clarification would be great.
> >
> >
> > Me too. A guide to FreeSwan that acknowledged the existence of NAT'ing
> > would be wonderful. A guide that also helped set it up *WITHOUT KEEPING
> > THE PASSWORDS IN THE CLEAR IN LOCAL TEXTFILES* would be even better....
> >
>

---

• Next message: John SMith: "Re: Establishing a site-to-site ipsec connection"
• Next in thread: John SMith: "Re: Establishing a site-to-site ipsec connection"
• Maybe reply: John SMith: "Re: Establishing a site-to-site ipsec connection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)