Penguin
Recent Changes
Diff: IPSecConfigurationNAT
EditPageHistoryDiffInfoLikePages

Differences between version 3 and previous revision of IPSecConfigurationNAT.

Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History

Newer page: version 3 Last edited on Tuesday, November 18, 2003 11:24:00 pm by CraigBox Revert
Older page: version 2 Last edited on Tuesday, November 18, 2003 3:27:42 pm by CraigBox Revert
@@ -1,8 +1,10 @@
 !!Setting up IPSEC tunnelling over a NAT’d M1122 
  
 I have an [IPSec] gateway server (FreeSwan) running on a public IP address, and I want to make tunnels from machines that 
 sit behind [ADSLModems] (in this case, a Nokia [M1122].) Thankfully, it was a bit easier to acheive than I thought it might be, and you don't have to worry about NatTraversal at all. 
+  
+This works because FreeSwan can identify its ends with the leftid= and rightid= parameters, without needing the IP address blocks to match.  
  
 !Things to note 
  
 If you have multiple networks that have the same numbering, you can't tunnel them all together to the same server - how would the server know which was which? Along with that, if you're using a network between a firewall and a DSL modem (the 192.x examples below), it will also have to have a unique IP address. 
@@ -14,9 +16,9 @@
 [[Hosting Server] - [[Hosting Firewall] <----> [[M1122] - [[Site Firewall] - [[Local Network] 
  
 Imagine a (reasonably standard) layout: (External IP __M1122__ 192.168.1.254) - (192.168.1.250 __Firewall__ 10.7.1.254). The hosting server is 203.204.205.206. 
  
-!!1. Configure the M1122 to enable ESP and ISAKMP passthrough to the internal 
+!!1. Configure the M1122 to enable ESP and ISAKMP passthrough to the internal (with some PinHoling):  
  
  telnet router 
  configure 
  vcc1 
@@ -56,11 +58,11 @@
  
  
 !M1122 END 
  
-This end has to be different from the other end 
+This end has to have some different IP addresses from the other end...  
  
- conn sitemail -hosting 
+ conn site -hosting 
  left= %defaultroute 
  leftsubnet= site-internal-net (10.7.1.0/24) 
  leftnexthop= 
  rightsubnet= hosting (203.204.205.206/32) 
@@ -81,4 +83,6 @@
  right= hosting-firewall (203.204.205.1) 
  rightnexthop= %defaultroute 
  rightrsasigkey= ... 
  rightid= @firewall.hosting.net.nz 
+  
+Comments welcomed.