Re: Completely transparent VPN between NATed sites

[René Matthäi <matthaei_(_at_)_gmx_(_dot_)_de>]

Hi,

Jason Dixon schrieb:
> On Fri, 2003-08-15 at 10:18, René Matthäi wrote:
> > Jason Dixon schrieb:
> > > On Fri, 2003-08-15 at 07:27, René Matthäi wrote:
> > > > Jason Dixon schrieb:
> > > > > On Fri, 2003-08-15 at 05:52, René Matthäi wrote:
> > > > >
> > > > > > do you think it is generally possible to setup such a setup with 
> > > > > > built-in ipsec(?) resp. with KAME on (Open)BSD
> > > > > >
> > > > > > LAN-A ----- FW/NAT =====(internet)===== FWL/NAT ----- LAN-B
> > > > > > 192.168.1.x                                           192.168.2.x
> > > > > >
> > > > > > so that _everything_ works, including FTP, LDAP, H.323...?
> > > Based on your diagram of two networks connected via IPsec, you won't
> > > have any problem with NAT at all.  You're not going to NAT going from
> > > one controlled network to another... you're simply routing.
> >
> > Ok. But when I use to LAN-PCs as GW for VPN, meaning that the VPN GW is 
> > behind the FW/NAT device? NAT-Traversal doens't work with FTP, IRC, 
> > SNMP, LDAP, H.323... and so on.
>
> For the last time, your network diagram does not preclude the use of
> NAT-T.  You are ROUTING.

Yes and no. Please apologize my maybe stupid questions. But when I meant 
"Ok. But when I use two LAN-PCs as GW for VPN", I meant a setup like 
follows (which actually involves NA(P)T, as I think):

LAN-A-PCx --- SG === FW/NAT ===(inet)=== FW/NAT === SG --- LAN-B-PCy

where SG is Security Gateway, i. e. the computer that does VPN 
transformation.

I understand what you mean by saying that all is about routing. But in 
that case (see diagram resp. "Ok. But when I use two LAN-PCs as GW for 
VPN") VPN-Traffic goes through a NATing FIREWALL. This idea is not 
penned by me.

Greetings,

René