me> From: Mark Evans (DSLWN)
me> Subject: RE: nokia m10 # of pinholes

there has been some (off list aiui) suggestion that
the m10 may not work with ipsec. this is a result
of the need for ipsec to look at/modify (?) the ip
header fields, being compromised by the m10 nat/pat
action.

me> this will be both checkpoint securemote client to
me> firewall-1 server and firewall-1 to firewall-1 vpns

of course since we have deployed a genuine (no flames
please) firewall behind the adsl modem we don't actually
need (or want) the m10 to do nat/pat for us.

given this we would much prefer to run the m10 in bridged
mode. this would cause it to leave the ip headers alone
and let the firewall both look after the protection of
the internal net _and_ deliver the vpn/ipsec solution.

but telecom won't allow us to run the m10 in bridge
mode (something to do with ppp authentication & billing
- sigh).

i wonder if we could avoid this difficulty if we swapped
the m10 for one of the adsl modem pci cards in the
firewall?

cheers,

-- 
me - mark.evans@datacom.co.nz
To unsubscribe: send mail to majordomo@freebsddiary.cx
with "unsubscribe adsl" in the body of the message