[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
If the administrator feels that way, then I think the compromise I'd
like the architecture to support is this:
(minimal portions of forwarded mail copied...)
> +-----+ +----+ +-----+
> | E1 |--------| FW |===INTERNET====| E2 |
> +-----+ +----+ +-----+
1. Establish an authentication-only connection between E1 and
FW. This allows the operator of FW to 'trust' E1 (or not)
2. Somehow (inside the E1->FW tunnel?) E1 is then permitted to
establish a tunnel with E2.
Note this might require something mildly bizarre like running IKE
_through_ an E1->FW, Auth-only tunnel. So suddenly I'd want E1
to allow IKE over 'raw' IP to FW as well as IKE over 'tunnelled' IP to
E2.
Alternatively, you have two 'butted tunnels', a tunnel from E1-FW,
Auth-only, and a tunnel from FW to E2, encrypted and such.
Date sent: Sat, 08 May 1999 06:49:15 -0700
From: "Scott G. Kelly" <sgkelly@ix.netcom.com>
> ... I
> think the only problematic situation is when an end-user behind a firewall
> wants to establish (or permit) a secured session *through* the firewall.
> Some administrators simply refuse, saying "I can't see what's in the
> encrypted traffic, and that's unacceptable". I see no solution in this
> case, since they do not trust their internal systems/users.
References: