Bryan McAninch wrote: > Hi all, > > I am attempting to setup remote access domain login over an IPSec > tunnel. The tunnel is between a Linux firewall with iptables & > openswan, and a windows xp laptop; the internal domain controllers > are 2003 servers. For routing purposes, I need to SNAT the laptop to > one of our internal rfc 1918 addresses on the internal interface of > the firewall. The problem I am encountering is getting the laptop to > successfully log on to the domain, and I'm certain it has something > to do with the SNAT. You should be logging in using Windows LDAP. If you aren't giving the Laptop a valid internal IP, I suppose you'd have to SNAT the incoming traffic to the Linux firewall. Questions: What can't you give the incoming host an internal IP? Do you have two nested networks inside NAT'ed or do you not control the allocation of IP's, or some other reason (no ProxyARP?)? Why can't you login using LDAP or Kerberos? It shouldn't matter if you're snated or not. Can you access ANY service behind the firewall? Do you log all soon to be dropped packets & do you see in the logs any packets getting dropped when trying to login?
