[Openswan Users] insideLAN behind perimeter net

John A. Sullivan III jsullivan at opensourcedevel.com
Fri Jul 15 09:25:36 CEST 2005


On Fri, 2005-07-15 at 11:35 +0100, sibusiso xolo wrote:
> Greetings,
> 
> I would be grateful for some advice on whether openswan can be configured to 
> work with an inside-LAN attached to a NAT-box behind a perimeter net.  An 
> example diagram  is attached.
<snip>
I believe you can.  In the ISCS network security management project
(http://iscs.sourceforge.net), we have done something similar.  In the
gateway configuration screen where the user defines the protected
networks, they can check the Internal NAT box and then give the address
to which the protected network should be NAT'd.

We know that works but that puts the NAT on the gateway.  The advantage
of doing that is we can still implement robust user authentication and
access control on the traffic entering the tunnel rather than living
with simply wide open tunnels (dangerous in today's network security
environment).

I would imagine the same would work if you NAT before the gateway.  If
you NETNAT, you can still implement the same security as we do in ISCS.
If you NAPT, I believe you will lose security granularity, i.e., you
will need one size fits all rules.

There's plenty of documentation on this in the devel-docs section of the
ISCS CVS or tarball on SourceForge.  Hope this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com



More information about the Users mailing list