Subject: Re: tunnelling and IPNAT (Or IPsec wishing)
To: Curt Sampson <cjs@cynic.net>
From: David Brownlee <abs@netbsd.org>
List: tech-net
Date: 05/15/2003 16:01:20
On Thu, 8 May 2003, Curt Sampson wrote:
> On Wed, 7 May 2003, David Brownlee wrote:
>
> > [internal]------[ IPNAT ]--<Internet>--[ IPNAT ]------[internal]
> > [ hostsA ] [gatewayA] [gatewayB] [ hostsB ]
> >
> > I want to secure traffic between the two networks....
> > If incoming IPsec was processed before IPNAT, and outgoing IPNAT
> > before IPsec then it should be feasible, or (as is likely) am I
> > missing something?
>
> I don't see where NAT is involved at all. Just run IPSec in tunnel
> mode between A and B (or use a GRE tunnel between A and B, and encrypt
> communications between A and B with non-tunnel-mode IPSec) and you're set.
>
> Just don't expect to be able to use IPFilter on any of the traffic
> between the two hosts or networks.
The problem is that allows the two gateways to talk, but internal
hostsA cannot connect to gatewayB. I'm working on switching some
boxes to current to test Darren's latest patches which should do
exactly what I need :)
--
David/absolute -- www.netbsd.org: No hype required --