VPN Passthrough with iptables
From: Ian G Batten (I.G.Batten@batten.eu.org)Date: 09/19/02
- Next message: : "Re: A log question"
- Previous message: : "Re: Laptop Can't Log On Network @ Startup?"
- Next in thread: Dieter Sarrazyn: "Re: VPN Passthrough with iptables"
- Reply: Dieter Sarrazyn: "Re: VPN Passthrough with iptables"
- Reply: Birger Toedtmann: "Re: VPN Passthrough with iptables"
- Reply: ahall: "Re: VPN Passthrough with iptables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Ian G Batten <I.G.Batten@batten.eu.org> Date: 19 Sep 2002 10:20:21 GMT
If I have this scenario:
[PC]--local ethernet---[Linux Firewall/NAT]---Internet---[VPN Server]
how do I configure the Firewall/NAT box so that it will do IPSec VPN
passthrough from a VPN client on the PC to the VPN Server? The client
will and server will Symantec, if that matters, but I would like to pass
through arbitrary IPSec. I don't believe this is hard, as most
commodity SOHO routers support ``VPN Passthrough'' as part of their NAT
offering, and just knowing what they do would be sufficient (I'm fluent
with iptables, but not with IPSec).
I would be happy with a solution which only works for one PC.
>From basic reading, I believe I need to use IKE key exchange, pass
outbound UDP traffic headed for a remote port 500 through (applying
simply the SNAT but leaving the source port alone) and use DNAT to pass
incoming traffic for port 500 on the NAT host to port 500 on the VPN
client. I think I can use SPI tracking on more recent kernels to
discriminate.
Am I on the right lines?
ian
- Next message: : "Re: A log question"
- Previous message: : "Re: Laptop Can't Log On Network @ Startup?"
- Next in thread: Dieter Sarrazyn: "Re: VPN Passthrough with iptables"
- Reply: Dieter Sarrazyn: "Re: VPN Passthrough with iptables"
- Reply: Birger Toedtmann: "Re: VPN Passthrough with iptables"
- Reply: ahall: "Re: VPN Passthrough with iptables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
