Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)

["Rodney Thayer" <rodney@ssh.fi>]

If the administrator feels that way, then I think the compromise I'd 
like the architecture to support is this:

(minimal portions of forwarded mail copied...)

>   +-----+        +----+               +-----+
>   | E1  |--------| FW |===INTERNET====| E2  |
>   +-----+        +----+               +-----+

1. Establish an authentication-only connection between E1 and 
FW.  This allows the operator of FW to 'trust' E1 (or not)
2. Somehow (inside the E1->FW tunnel?) E1 is then permitted to
establish a tunnel with E2.

Note this might require something mildly bizarre like running IKE 
_through_ an E1->FW, Auth-only tunnel.  So suddenly I'd want E1 
to allow IKE over 'raw' IP to FW as well as IKE over 'tunnelled' IP to 
E2.

Alternatively, you have two 'butted tunnels', a tunnel from E1-FW, 
Auth-only, and a tunnel from FW to E2, encrypted and such.



Date sent:      	Sat, 08 May 1999 06:49:15 -0700
From:           	"Scott G. Kelly" <sgkelly@ix.netcom.com>

> ... I
> think the only problematic situation is when an end-user behind a firewall
> wants to establish (or permit) a secured session *through* the firewall.
> Some administrators simply refuse, saying "I can't see what's in the
> encrypted traffic, and that's unacceptable". I see no solution in this
> case, since they do not trust their internal systems/users.

---

References:

• Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• From: "Scott G. Kelly" <sgkelly@ix.netcom.com>

---

• Prev by Date: Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• Next by Date: IPsec implementation
• Prev by thread: Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• Next by thread: Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• Index(es):
  • Main
  • Thread