'nating incomming IPSec connections?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    nating incomming IPSec connections?
From:       "neal hamilton" <nealhamiltonjr () yahoo ! com>
Date:       2002-05-27 20:46:30
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Just wondering if the new IPF can properly NAT more than one inbound
IPSec tunnel/s at a time? I tried with, I believe 3.4.25 and I could not
get my openbsd-3.0/ipf router to forward more than more tunnel at a
time. I was using ESP and IKE on the checkpoint firewalls.   
 
 
 

 
 
As you can see I only have one routable Address, the external interface
of the Bsd/Ipf router, and have to forward, D-NAT to my hosts inside the
firewall. The VPN servers are in HA mode and are seen as one VIP, so
therefore I need to only forward to one IP address. I have been able to
forward successfully ONE (1) connection to the VPN server but no more
simultaneous connections were able to connect. I was told that the
Linksys broadband RTR would work if I put the ip of the vpn servers as
the dmz host, and it worked. I was able with the Linksys to have many
connections, 253 I believe, simultaneously. I would rather use IPF for
this and have the comfort of having a OpenBsd/Ipf firewall as the entry
point so if anyone has done this before I would appreciate your help.
 
Thanks in advance.   

[Attachment #5 (text/html)]

<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">


<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 10">
<meta name=Originator content="Microsoft Word 10">
<link rel=File-List href="cid:filelist.xml@01C20595.AB2BB6F0">
<link rel=Edit-Time-Data href="cid:editdata.mso@01C20595.AB2BB6F0">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><!--[if gte mso 9]><xml>
 <o:OfficeDocumentSettings>
  <o:DoNotRelyOnCSS/>
 </o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:View>Normal</w:View>
  <w:SpellingState>Clean</w:SpellingState>
  <w:GrammarState>Clean</w:GrammarState>
  <w:DocumentKind>DocumentEmail</w:DocumentKind>
  <w:EnvelopeVis/>
  <w:Compatibility>
   <w:BreakWrappedTables/>
   <w:SnapToGridInCell/>
   <w:WrapTextWithPunct/>
   <w:UseAsianBreakRules/>
  </w:Compatibility>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
 </w:WordDocument>
</xml><![endif]-->
<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{mso-style-parent:"";
	margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;
	text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;
	text-underline:single;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
	{margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:10.0pt;
	font-family:"Courier New";
	mso-fareast-font-family:"Times New Roman";}
span.SpellE
	{mso-style-name:"";
	mso-spl-e:yes;}
span.GramE
	{mso-style-name:"";
	mso-gram-e:yes;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 77.95pt 1.0in 77.95pt;
	mso-header-margin:.5in;
	mso-footer-margin:.5in;
	mso-paper-source:0;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
 /* Style Definitions */ 
 table.MsoNormalTable
	{mso-style-name:"Table Normal";
	mso-tstyle-rowband-size:0;
	mso-tstyle-colband-size:0;
	mso-style-noshow:yes;
	mso-style-parent:"";
	mso-padding-alt:0in 5.4pt 0in 5.4pt;
	mso-para-margin:0in;
	mso-para-margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:10.0pt;
	font-family:"Times New Roman";}
</style>
<![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple style='tab-interval:.5in'>

<div class=Section1>

<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Just wondering if the new IPF can properly NAT more than one inbound <span
class=SpellE>IPSec</span> tunnel/s at a time? I tried with, I believe 3.4.25
and I could not get my openbsd-3.0/ipf router to forward more than more <span
class=GramE>tunnel</span> at a time. I was using ESP and IKE on the checkpoint
firewalls. <span style='mso-spacerun:yes'>&nbsp;&nbsp;</span><o:p></o:p></span></font></p>


<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'><img width=300 height=608 id="_x0000_i1025"
src="cid:image001.jpg@01C20595.AB2BB6F0"><o:p></o:p></span></font></p>

<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>As you can see I only have one routable Address, the external interface
of the <span class=SpellE>Bsd/Ipf</span> router, and have to forward, D-NAT to
my hosts inside the firewall. The VPN servers are in HA mode and are seen as
one VIP, so therefore I need to only forward to one IP address. I have been
able to forward successfully ONE (1) connection to the VPN server but no more \
simultaneous connections were able to connect. I was told that the <span \
class=SpellE>Linksys</span> broadband RTR would work if I put the <span \
class=SpellE>ip</span> of the <span class=SpellE>vpn</span> servers as the <span \
class=SpellE>dmz</span> host, and it worked. I was able with the <span \
class=SpellE>Linksys</span> to have many connections, <span class=GramE>253 I</span> \
believe, simultaneously. I would rather use IPF for this and have the comfort of \
having <span class=GramE>a</span> <span class=SpellE>OpenBsd/Ipf</span> firewall as \
the entry point so if anyone has done this before I would appreciate your \
help.<o:p></o:p></span></font></p>

<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Thanks in advance. <span style='mso-spacerun:yes'>&nbsp;</span><span
style='mso-spacerun:yes'>&nbsp;</span><o:p></o:p></span></font></p>

</div>

</body>

</html>


["image001.jpg" (image/jpeg)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic