From: Ken Bantoft (ken_at_freeswan.ca)
Date: Tue Dec 10 2002 - 04:29:19 CET
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 9 Dec 2002, alphan wrote:
> folks,
>
> i wondered if some of you could confirm this senario:
>
> only gateway-to-gateway IPSec tunnel is set up (e.g.,
> between FreeSWAN/Linux and Checkpoint FW-1/VPN-1),
> instead of the full (end-to-end) net/host-to-net/host
> tunnel. there are reasons not to set up in the latter
> way....
>
> are there people who have succeeded in setting up this
> way and push the traffic through (clear text from
> host1 to gateway1, then encrypted from gateway1 to
> gateway2, followed by clear text again from gateway2
> to host2)? of course one has to use NAT, etc. to make
> the internal (clear-text) portion work.
I can't see any reason why you wouldn't just put a net2net tunnel in place
for this, since it solves exactly what you are describing.
You could kludge in a way with iproute2 if both boxes were FreeS/WAN, but
with a CP FW1/VPN1 I highly doubt it would accept the packets, since
they'd technically be invalid as they arrive over the tunnel with src/dest
IP's not equal to both of the Gateways.
- --
Ken Bantoft The Unoffical FreeS/WAN Site:
ken_at_freeswan.ca http://www.freeswan.ca
PGP Key: finger ken_at_bantoft.org
"We can factor the number 15 with quantum computers. We
can also factor the number 15 with a dog trained to bark
three times." -- Robert Harley, 5/12/01, Sci.crypt
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPfVfl1iWUusaxGxpAQFA/wP8Ce8PvuuDI6juXUJ9kATitFNm22WgQ8Tj
rXoAaWg8rLiy+z5BxALApCPL81OjuxTo5r0XhU0lJylas6lZKtdvok+9oZQcw159
lNDvn2bZiOQwvSrpVWNzqlQcbD5Ns30sEQ3DD/C00R7IP+vhrRb4NPmBGd6Hjwul
3YW5kLBN1rQ=
=guKt
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Wed Dec 11 2002 - 05:21:06 CET