[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Passing IPSec VPN traffic through a Port-masquerading firewall
Howdy,
I need to support IPSec VPN users through Linux masquerading firewall.
The linux masquerade code converts the "client-side" IP addresses into its
address, and manipulates the source port in order to
keep track of who is doing what so it can demasquerade on the way back.
Now, I understand that there are two parts to the VPN protocol - the
initial key exchange at port 500,
and then the ESP packets. I know that there are multiple-IP-address NAT
devices that work with this
method, so I assume that I can change the IP address of the packets without
getting into too much
trouble. But I have been told that there is no session number that I can
draw off of to distinguish two clients creating VPN tunnels to the same
destination server.
I have looked at the RFC for ESP, and it seems to support this claim. I
was wondering if I could
potentially use the sequence number as a reasonably unique identifier - Not
perfect, but perhaps
ok. Does anyone on this list have any other suggestions?
Thanks
John
-------
johnbr@elastic.com - John Brothers - (678) 297 3084
Follow-Ups: