Re: Masquerading IPSec connections on FreeBSD?

[Brian Candler <B.Candler at pobox.com>]

> > 	Remote IPSEC server (Galileo software)<===
> > 	(Global IP address)

Oh, I forgot to mention: the remote IPSEC server is very likely to refuse to
accept simultaneous tunnels from two clients if they both appear to be
coming from the same (masqueraded) IP address.

I have found this to be the case even with a non-IPSEC VPN product: the
Shiva (Intel) VPN client using its default "Shiva Smart Tunnelling"
protocol, which runs over UDP (and therefore NATs easily). It works fine as
long as there's only one client behind the NAT firewall; as soon as a second
client tries to connect, it breaks the first. The underlying assumption is
that each client must be coming from a different IP.

This may not be a problem with L2TP, since multiple L2TP tunnels between the
same pair of endpoints is a legitimate and widely-deployed scenario (in the
RAS environment at least).

The other option you might consider is setting up the firewall itself as an
IPSEC client to the remote Galileo server. That suffers all the
interoperability problems I described before (made somewhat easier if the
firewall has a fixed public IP address), but means that all clients on the
private LAN will be able to send traffic via the tunnel, without having to
set up their own tunnels or authenticate individually. That may not be what
you want, of course.

Cheers,

Brian.

-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org