> -----Original Message-----
> From: users-admin_at_lists.freeswan.org
> [mailto:users-admin_at_lists.freeswan.org]On Behalf Of Roland Gafner
> Sent: Mittwoch, 13. März 2002 17:03
> To: Henry Spencer
> Cc: users_at_lists.freeswan.org
> Subject: RE: [Users] IKE source port aother than 500
>
>
> >Yes, but then it has its own IP address. Masquerading changes addresses
> >as well as ports! You will *have* to change the client's IP address in
> >ipsec.conf when you put it behind a masquerading firewall.
>
> You are right, the ip address changes too. But what do you mean by
> "You will *have* to change the client's IP address in ipsec.conf" ?
> My gateways ipsec.conf has :
>
> conn uranus
> left=%any
> auto=add
>
> So I guess every client with a valid x509 certificate can connect.
>
In principle yes, but only under the condition that the inner source
address equals the outer source address of the IPsec tunnel. This
is because
left=%any
implicitely means
leftsubnet=left=<outer IP address>
In the case of NAT you must declare the inner IP address
explicitely
left=%any
leftsubnet=<inner IP address>/32
This means that you need a distinct connection definition for
each NATed client.
> > Or because UDP source address is that of the firewall rather
> than the host.
>
> The source port and the ip source address always changes when a
> client packet goes through a masquerading
> (hiding NAT) gateway to the external net.That's how masquerading
> is working.
>
> rgds
> Roland
>
Kind regards
Andreas
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:42 CEST