[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Completely transparent VPN between NATed sites



Hi,

Jason Dixon schrieb:
On Fri, 2003-08-15 at 10:18, René Matthäi wrote:
Jason Dixon schrieb:
On Fri, 2003-08-15 at 07:27, René Matthäi wrote:
Jason Dixon schrieb:
On Fri, 2003-08-15 at 05:52, René Matthäi wrote:

do you think it is generally possible to setup such a setup with built-in ipsec(?) resp. with KAME on (Open)BSD

LAN-A ----- FW/NAT =====(internet)===== FWL/NAT ----- LAN-B
192.168.1.x                                           192.168.2.x

so that _everything_ works, including FTP, LDAP, H.323...?

Based on your diagram of two networks connected via IPsec, you won't
have any problem with NAT at all.  You're not going to NAT going from
one controlled network to another... you're simply routing.

Ok. But when I use to LAN-PCs as GW for VPN, meaning that the VPN GW is behind the FW/NAT device? NAT-Traversal doens't work with FTP, IRC, SNMP, LDAP, H.323... and so on.

For the last time, your network diagram does not preclude the use of NAT-T. You are ROUTING.

Yes and no. Please apologize my maybe stupid questions. But when I meant "Ok. But when I use two LAN-PCs as GW for VPN", I meant a setup like follows (which actually involves NA(P)T, as I think):


LAN-A-PCx --- SG === FW/NAT ===(inet)=== FW/NAT === SG --- LAN-B-PCy

where SG is Security Gateway, i. e. the computer that does VPN transformation.

I understand what you mean by saying that all is about routing. But in that case (see diagram resp. "Ok. But when I use two LAN-PCs as GW for VPN") VPN-Traffic goes through a NATing FIREWALL. This idea is not penned by me.

Greetings,

René