Hi Brandis, > Hello... > > Is ther way to make Ipsec tunel over masqueraded gw ? Something like > PPTP support for masq ? IPsec is designed to protect against "tampering" with the packets, and that includes NAT. Also, the IKE protocol makes assumptions about the IP addresses of machines, which are violated by NAT. So "normal" IPsec cannot be run over NAT, as far as I'm aware. Nothing in iptables would be able to fix that. There is a draft IETF standard for IPsec NAT traversal (also called NAT-T), which encapsulates the IPsec packets in UDP to protect them from NAT. Some IPsec implementations have built-in support for this, and some, such as FreeSWAN, have optional patches to add support. It will only work if both ends support it, but it may be what you want. Cheers, Chris. -- ___ __ _ / __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
