Exactly. The best solution is to just talk to the VPN people and find out what their setup is. VPN is a broad and vague term and can mean anything. ----- Original Message ----- From: "urgrue" <urgrue@xxxxxxxxx> To: <linux-admin@xxxxxxxxxxxxxxx> Cc: "Tony Gogoi" <tgogoi@xxxxxxxxxxxxxxx> Sent: Tuesday, August 17, 2004 4:51 AM Subject: Re: VPN question > This is all true, but one thing to check before embarking on this > rather large project is whether your VPN fall into this category of > "cant be NATted VPNs" in the first place. > Of the VPN solutions I've used, only IPSEC minds if the IPs are NATted. > and if I remember correctly, IPSEC minds even if its a one-to-one NAT. > > So I'd suggest you simply configure your router/firewall to NAT all > those internal IPs to the same external IP and see if it works, before > starting to set up a more complicated solution. > > > > Ok, so you are CLIENTS connecting to a VPN server. That whole > > scenario you were speaking of is called NAT (private ip addresses are > > mapped to a single public ip address. The router/firewall keeps > > track of the connections). > > > That is not the problem though. The issue is that some encryption > > technologies do not allow the connections to be NATed because your > > data packets are "mangled" to achieve this, and the encryption > > protocol requires packets to be unmodified so as to verify integrity. > > > You have two options. The first option is to get the people hosting > > the VPN server to change what they are doing into somethign more NAT > > friendly (but loses a level of security) or work with them to set up > > a vpn server in your network that builds a conenction with their vpn > > server. Then, you set up info on your routing tables to route over > > it. This way, you have a single VPN connection, and all your > > clients send data over it. > > > ----- Original Message ----- From: "Tony Gogoi" <tgogoi@xxxxxxxxxxxxxxx> > To: "Adam Lang" <aalang@xxxxxxxxxxxxxxxxxxxx> > Cc: <linux-admin@xxxxxxxxxxxxxxx> > Sent: Monday, August 16, 2004 2:50 PM > Subject: Re: VPN question > > > > > > Hi Adam, > > > > I'm not too familiar with VPNs. > > > > But our PC's sit on a LAN behind a firewall. A few PC's are VPN > > clients. > > Right now we have configured our firewall to map VPN clients on the > > private LAN to static external IP addresses. The rest of the PC's on > > the > > LAN are mapped to a single IP address. We are running out of external > > IP > > addresses. Was wondering if there was a way out instead of having to > > buy > > more IP addresses. > > > > So, i was wondering if there's a set up that could make our PC's > > connect > > to some sort of VPN server at our end which would act as a gateway to > > the > > actual server located far away. > > > > Regards, > > Tony > > > > On Mon, 16 Aug 2004, Adam Lang wrote: > > > > > Obvious first question is: why is it a problem? > > > ----- Original Message ----- > > > From: "Tony Gogoi" <tgogoi@xxxxxxxxxxxxxxx> > > > To: <linux-admin@xxxxxxxxxxxxxxx> > > > Sent: Monday, August 16, 2004 12:30 PM > > > Subject: VPN question > > > > > > > > > > > > > > Hello, > > > > > > > > Right now when we use the VPN each of our computers needs a unique > > > > external IP-address to communicate with the server. > > > > > > > > To overcome the problem of having a few external IP addresses, > > > > I was wondering if there's any software that would map all > > client's > > > > external IP addresses to one unique IP address and communicate > > with > the > > > > server through another software that would "decrpyt" the unique IP > address > > > > into individual ones. > > > > > > > > Regards, > > > > Tony Gogoi > > > > - > > > > : send the line "unsubscribe linux- > > admin" > in > > > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > > > More majordomo info at http://vger.kernel.org/majordomo-info. > > html > > > > > > - > > > : send the line "unsubscribe linux- > > admin" > in > > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > > > > > > Tony Gogoi > > - > : send the line "unsubscribe linux-admin" > in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > > - > : send the line "unsubscribe linux-admin" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html - : send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
