From: alphan (alphan3_at_yahoo.com)
Date: Tue Dec 10 2002 - 04:39:29 CET
> I can't see any reason why you wouldn't just put a
> net2net tunnel in place
> for this, since it solves exactly what you are
> describing.
the reason is with another firewall sitting between
host1 and gateway1 (freeswan)! we could do NATting on
that firewall instead of on freeswan/gateway1 but....
> You could kludge in a way with iproute2 if both
> boxes were FreeS/WAN, but
> with a CP FW1/VPN1 I highly doubt it would accept
> the packets, since
> they'd technically be invalid as they arrive over
> the tunnel with src/dest
> IP's not equal to both of the Gateways.
as a matter of fact, we got such a tunnel working for
freeswan and a remote w2k-ipsec (gateway2 and host2 on
the same box). we set the src/dest IP's exactly to be
both of the gateways! and on the freeswan box we used
SNAT via ipsec0 interface (instead of eth1).
i am just hoping this works for a remote Checkpoint as
well!!
further comments? -bill
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Wed Dec 11 2002 - 05:21:06 CET