Passing IPSec VPN traffic through a Port-masquerading firewall

["Brothers, John" <johnbr@elastic.com>]

Howdy,

    I need to support IPSec VPN users through Linux masquerading firewall.
The linux masquerade code converts the "client-side" IP addresses into its
address, and manipulates the source port in order to
keep track of who is doing what so it can demasquerade on the way back.  

   Now, I understand that there are two parts to the VPN protocol - the
initial key exchange at port 500,
and then the ESP packets.   I know that there are multiple-IP-address NAT
devices that work with this
method, so I assume that I can change the IP address of the packets without
getting into too much
trouble.   But I have been told that there is no session number that I can
draw off of to distinguish two clients creating VPN tunnels to the same
destination server.

  I have looked at the RFC for ESP, and it seems to support this claim.  I
was wondering if I could
potentially use the sequence number as a reasonably unique identifier - Not
perfect, but perhaps
ok.  Does anyone on this list have any other suggestions?

	Thanks
		John


-------
johnbr@elastic.com		- John Brothers	- 	(678) 297 3084

---

Follow-Ups:

• Re: Passing IPSec VPN traffic through a Port-masquerading firewall
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: help
• Next by Date: RE: Passing IPSec VPN traffic through a Port-masquerading firewall
• Prev by thread: help
• Next by thread: Re: Passing IPSec VPN traffic through a Port-masquerading firewall
• Index(es):
  • Main
  • Thread