From: John A. Sullivan III (john.sullivan_at_nexusmgmt.com)
Date: Sat Sep 14 2002 - 21:57:00 CEST
I'd agree. It will make routing infinitely simpler. We've got a bit
further in our labs. We've combined NAT-T with DHCP-over-IPSec and
allocate Road Warriors a private and controllable IP address separate
from the other internal addresses. This way we have known addresses
upon which we can make routing and security decisions and identify all
the packets from remote users.
Greg Scott wrote:
>>I was thinking about a freeswan VPN server in the
>>LAN with a public ip address and doing NAT in the
>>linux fw from the public to the local ip.
>>
>>
>
>I wouldn't do it this way.
>
>Since you have a batch of public IP addresses anyway, think about
>doing it the classic way, like this:
>
>--------Router-------------Linux FW ---------- Internal LAN
>Public IP Public IP Public IP Private IP Private IP range
> NAT and IPSEC
> happen here.
>
>Of course, the inside of the router and outside NIC on the firewall
>should be in the same IP subnet.
>
>You could also build a DMZ into the mix if you want by adding
>a 3rd NIC in your firewall. I would use another private IP address
>range for the servers in the DMZ and use NAT to further protect them.
>
>my 2 cents
>
>- Greg Scott
>
>
>
>-----Original Message-----
>From: Vicente Vives [mailto:vvives_at_telepolis.com]
>Sent: Thursday, September 12, 2002 10:55 AM
>To: users_at_lists.freeswan.org
>Cc: vvives_at_telepolis.com
>Subject: [Users] VPN server using NAT
>
>
>
>_______________________________________________
>Users mailing list
>Users_at_lists.freeswan.org
>http://lists.freeswan.org/mailman/listinfo/users
>
>
-- John A. Sullivan III Group Technology Director Nexus Management +1 207-985-7880 john.sullivan_at_nexusmgmt.com_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Sun Sep 15 2002 - 05:20:06 CEST