From: Tom E. <te...@sh...> - 2006-01-12 15:45:35
|
On Wednesday 11 January 2006 08:15, Fr=E9d=E9ric Cornu wrote: > My ip 192.168.50.160. > I need to connect to the remote network, in a vpn. > But the remote firewall that will allow me the connection, waits for an > input from 199.64.69.7 (this ip does not exist in my network). > So I need to use s-nat to replace my ip with 199.64.69.7 when trying to > connect to the remote network, so the remote firewall will recognize me a= nd > begin the security transaction with my firewall and then create the vpn > tunnel. If your problem is that the remote end only accepts ISAKMP from 199.64.69.7= =20 then there is no way to do what you are asking. If the problem is that the= =20 remote end will only negotiate security associations in which the remote IP= =20 address is 199.64.69.7 then you can TRY this (I have no idea if it will wor= k=20 or not because even with the Netfilter-IPSEC patches, I don't believe that= =20 the integration between the two is complete) /etc/shorewall/masq: eth0:<remote network> eth1 199.64.69.7 You cannot specify 'Yes' in the IPSEC column because traffic from your loca= l=20 network to the remote network will not match any negotiated SA. And PLEASE KEEP THIS DISCUSSION ON THE MAILING LIST. I don't provide privat= e=20 consulting to Shorewall users. =2DTom =2D-=20 Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |