Chad Skinner said: > I am trying to connect my linux box to a cisco VPN. I have the cisco > client working, but what I was wanting to do was to masq my local net > through the vpn connection (basically, connection with my linux server and > then be able to work from my desktop or notebook). The problem is that I > can not figure out how to masq my local traffic through the cisco client. > I was wondering if anyone knows if this will work using freeswan for the > client. One note: I believe the system uses xauth, a group and password > before I log in, and I found a few old emails stating freeswan does not > support this. Is this still the case?
run masq behind the vpn gateway. e.g. client systems -> Masq gateway -> 2nd gateway with VPN one of my co workers did it the opposite way for his home (win32 network): client system(with VPN) -> masq gateway I think for a similar reason, he couldn't use NAT(to get to the internet) on the VPN machine so he couldn't install the VPN software on his gateway. That and his gateway(at the time) was powered by a USB sattelite modem which(at the time at least) cisco's vpn had a bug preventing it from using USB network devices. or get cisco's hardware vpn client. cisco goes out of their way to prevent their software from working with NAT directly so they can sell you the hardware client which can do full network->network vpns as opposed to system->network vpns. I think the hardware client runs about $1k. I personally prefer vtun for unix<->unix vpns, it supports many flavors of linux, bsd and solaris(possibly more too). vtun.sourceforge.net. vtun can operate over tcp or udp(which is handy since some ISPs prevent it from using UDP). vtun is VERY reliable. I love it. I used to run vpnd, but that turned out to be very unreliable(ran it for about 2 years). Switched to vtun almost a year ago, its been flawless. freeswan doesn't work well with NAT either(last I tried it was a year ago). Unless they have implimented the IPSec-over-UDP in which case it may be now. And if your cisco VPN has this "mode" enabled on it's end chances are you won't be able to get any software to connect to it unless it can speak the same language. and last I read the cisco vpn linux client wasn't compadible with iptables at all(that is, you can't have iptables loaded in the kernel yet alone use it or it will break). Perhaps this is fixed now. (I use ipchains/2.2.19 on all my systems but mention this since redhat ships 2.4.x as their default) I've only worked with Cisco VPN3005s, others may be different. nate -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
