[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Passing IPSec VPN traffic through a Port-masquerading firewall

To: "'ipsec@tis.com'" <ipsec@tis.com>
Subject: RE: Passing IPSec VPN traffic through a Port-masquerading firewall
From: "Brothers, John" <johnbr@elastic.com>
Date: Wed, 13 Jan 1999 15:29:16 -0500
Sender: owner-ipsec@ex.tis.com

I've had a couple of good responses, but I think I failed to explain the
problem
fully.

We're operating a 'guest' server  - anyone can connect, and access the
outside
world with their own laptop through the linux masquerade box.  We aren't
providing the VPN capability,
we just want to carry VPN traffic across.  In addition, we don't know who
these people
are, or where they are going.  So we can't, unfortunately, create special
rules for
certain destinations ahead of time - we have to do everything on demand as
people
attempt to use the system.

and in the worst case, it is possible that there could be dozens, if not a
hundred people all attempting
to connect to the same IPSec VPN server, all essentially using the same
source IP address  and the same destination
IP address.

The application for this is Ethernet-speed Internet access in a hotel room -
and some hotels have as many as 4000 rooms...



> -----Original Message-----
> From:	Brothers, John [SMTP:johnbr@elastic.com]
> Sent:	Wednesday, January 13, 1999 9:26 AM
> To:	'ipsec@tis.com'
> Subject:	Passing IPSec VPN traffic through a Port-masquerading
> firewall
> 
> Howdy,
> 
>     I need to support IPSec VPN users through Linux masquerading firewall.
> The linux masquerade code converts the "client-side" IP addresses into its
> address, and manipulates the source port in order to
> keep track of who is doing what so it can demasquerade on the way back.  
> 
>    Now, I understand that there are two parts to the VPN protocol - the
> initial key exchange at port 500,
> and then the ESP packets.   I know that there are multiple-IP-address NAT
> devices that work with this
> method, so I assume that I can change the IP address of the packets
> without
> getting into too much
> trouble.   But I have been told that there is no session number that I can
> draw off of to distinguish two clients creating VPN tunnels to the same
> destination server.
> 
>   I have looked at the RFC for ESP, and it seems to support this claim.  I
> was wondering if I could
> potentially use the sequence number as a reasonably unique identifier -
> Not
> perfect, but perhaps
> ok.  Does anyone on this list have any other suggestions?
> 
> 	Thanks
> 		John
> 
> 
> -------
> johnbr@elastic.com		- John Brothers	- 	(678) 297 3084

Prev by Date: Passing IPSec VPN traffic through a Port-masquerading firewall
Next by Date: esp and ah introduction material
Prev by thread: Re: Passing IPSec VPN traffic through a Port-masquerading firewall
Next by thread: RE: Passing IPSec VPN traffic through a Port-masquerading firewall
Index(es):
- Main
- Thread