On Fri, Jul 05, 2002 at 03:23:56PM -0700, Curtis Vaughan wrote: > Let's go back to my left network. > The VPN host is behind a firewall, where NAT is also performed. > Therefore, the VPN host does not have, what I'll call a true public IP > address. As far as it knows it's address is merely 10.0.1.10. > > So, when I restart the network, eth0 is 10.0.1.10 and ipsec0 is > 10.0.1.10. Isn't this a conflict of sorts? Whereas on the right > network, ppp0 is 202.107.20.30 and ipsec0 is 202.107.20.30 Getting IPsec to work through NAT is not going to be easy. It may not even be possible at all. One of the things that IPsec does is guarantee that the packet headers arrive at their destination intact. NAT, by definition, mangles the packet headers. There are patches for FreeS/WAN that are supposed to allow NAT traversal, but from what I can see they are quite experimental. I assume that, due to their experimental nature, these patches have not been applied to the Debian freeswan package, but I could be wrong. The people on the freeswan-users list (see http://www.freeswan.org/) might be able to provide you with more help in this area. But if you can find a way to get the VPN box a static IP address, you'll have a much easier time with IPsec. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpkw4LWBWUcM.pgp
Description: PGP signature