Re: [ossig] Re: [myoss] Linux kernel IP stack, 7-layer OSI cake andSNAT shenanigans

[SianLun Lau <wahlau@xxxxxxx>]

On Thu, 4 Nov 2004 15:53:32 +0800
cdemarco@fastmail.fm wrote:

> > i seriously do not  know about such  complexitiy. all i did was,
> > set up a gateway  that  does NAT, firewall  it,  then run 
> > openswan with NAT_Transversal on.
> 
> This is what I was afraid of.  I am *NOT* talking about NAT
> traversal, at  all.  The   IPsec   endpoints are publicly-routable 
> Internet   IP addresses.  The   NAT  happens BEFORE the  IPsec 
> tunnel,  to  make my internal  network   look  like the  remote  
> network without requiring routing between them.

means, you have internal addresses behind both ends? anyway to draw a
sample network design?

10.254.254.0/24 --- 192.168.1.1 - 192.168.15.1 --- 172.16.25.0/24

subnet A                IPSEC GW1   IPSEC GW2     subnet B

between gW1 and gw2 is the Internet. something like that? 

as long as the packet after encapsulation is not modified, the tunnel
you build between two end points doesn't really bother about the
changes in each internal network. so in this sense, you NAT'ed network
behind subnet A or B, should not bring any difference to the IPsec
Tunnel.

SL


---------------------------------------------------------
To unsubscribe: send mail to ossig-request@mncc.com.my
with "unsubscribe ossig" in the body of the message