Re: Connecting to VPN Router That's Behind Another Router



Am Thu, 31 Jan 2008 23:15:03 +0100 schrieb Wolfgang Kueter:


Read my lips: You do *NOT* want to terminate an IPSec VPN on a private
IP behind a NAT device. You *want* to terminate it on a public, routable IP.

Why not, first you can control the traffic even on the first device, the
bad thing is you can only say it is an encrypted esp packet.
If i use my roadwarrior access via openswan I do the sam thing only the
direction is turned around (IPSec pass through).

The device with the three interfaces might be an old PC running Linux
with 3 or more NICs if you want to use cheap hardware. OpenSWAN and
iptables will do all what you want but you need some skills to get
everything running.

also openbsd does a good job :).

For a serious thing get a serious device, netgear is mostly cheap crap.

Wolfgang

yes I totally agree with you, espacially in the described environment.

cheers
.