> there has been some (off list aiui) suggestion that
> the m10 may not work with ipsec. this is a result
> of the need for ipsec to look at/modify (?) the ip
> header fields, being compromised by the m10 nat/pat
> action.

This is a fundamental problem between IPSec and NAT. In theory you should
be able to get ESP and NAT to work together. I personally haven't got this
to work, although if I had the time to try with other IPSec implemations I
think I might be able.

I think my fundamental problem was getting the IPSec to accept the packets
once they'd passed the M10. ie the ingress SA internal to the M10. I've
seen mentioned a few products that can actually handle ESP with NAT
rewritten IP headers.

[ESP only hashes the payload, not the headers.]

With the current setup is to get a GRE tunnel, and do IPSec over that. I
know Steve <steve@focb.iconz.co.nz> has done something along those lines.
With a c7200 and a linux box.

Personally I've almost managed to get it to work with two openbsd boxes and
GRE tunnels. However I could get transport from network to network to work.
Only host to host. At this stage I think it's probably some issues in the
GRE driver code.

Telecom are trialling a M10 to M10 VPN solution at the moment.

> of course since we have deployed a genuine (no flames
> please) firewall behind the adsl modem we don't actually
> need (or want) the m10 to do nat/pat for us.

Join a lot of us.

> but telecom won't allow us to run the m10 in bridge
> mode (something to do with ppp authentication & billing
> - sigh).

Have you read the archives. There was a discussion of this a while back.

> i wonder if we could avoid this difficulty if we swapped
> the m10 for one of the adsl modem pci cards in the
> firewall?

No drivers for a secure robust network OS. 8( I've heard that other DSL
modems are meant to be coming to the market. They might function better.

The other (non) option is routing a public subneting. Unfortunately Telecom
refuses (for techanic reasons maybe, I'm not sure) to route such a subnet
almost their network. In that possible situation you'd need two IPs for the
M10, one for the internal host, and the netowork+broadcast IPs.

Currently I've given up on GRE or IPSec and I'm just running vtun
(vtun.sourceforge.net). I might run IPSec over vtun at some later stage or
solve one of the above issues, but I can't be bother at the moment.

It's definitely work worth considering putting some community pressure on
Telecom to provide a workable solution.

Nicholas

To unsubscribe: send mail to majordomo@freebsddiary.cx
with "unsubscribe adsl" in the body of the message
Received on Thu May 4 16:48:50 2000