[SunHELP] IPSec and firewalls
sunhelp at sunhelp.org
sunhelp at sunhelp.org
Wed Mar 7 16:18:38 CST 2001
--openmail-part-3829fb60-00000001
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
;Creation-Date="Wed, 7 Mar 2001 16:18:38 -0600"
Content-Transfer-Encoding: 7bit
There is a possibility. As far as I know as long as the client is only
using ESP (rfc 2406) you should be fine. If the client is using AH (rfc
2402) it can't work because AH guarantees packet integrity, using NAT
in this configuration breaks it. I'm still not convinced it will work,
because without being able to modify the firewall at all you can not
set up NAPT so ESP shouldn't work either. I would say NO, but I can't
think of a 100% way that it wouldn't work.
-Blake
-----Original Message-----
From: jon [mailto:jon at tertial.org]
Sent: Wednesday, March 07, 2001 10:46 AM
To: sunhelp
Cc: jon
Subject: RE: [SunHELP] IPSec and firewalls
> i don't know a whole lot about IPSec, so, is it possible to have the
machine
> at work initiate the tunnel so that it can get out of the firewall
and connect
> to my home machine? on what port would it be connecting to so i can
allow
> a connection to that port and redirect it to the correct machine at
home.
It's been a while since I touched IPSEC, but ISTR that it uses a totally
different IP type (i.e. not TCP nor UDP) called ESP (Encapsulated
Payload). It
will be this that you need to forward at your firewall to your solaris
machine.
As to how you'd go about doing this - I'm afraid I haven't got a clue!
I suppose if the IPSEC doesn't work out so good, you could always try
the PPP
over SSH -style kludge.
J.
--
Jon Still E-mail: jon at tertial.org
System Administrator Web: http://www.tertial.org/
tertial.org
_______________________________________________
SunHELP maillist - SunHELP at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/sunhelp
--openmail-part-3829fb60-00000001--
More information about the SunHELP
mailing list